Analysis Report SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224 (renamed file extension from 24224 to exe)
Analysis ID:	356541
MD5:	060bd14ae501d8dae94cc73672ab195b
SHA1:	e16be2044b73bfb717d92d13968eac473d64b8fc
SHA256:	757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
Most interesting Screenshot:

Detection

Raccoon

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: yearofthepig.top

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Virustotal: Detection: 39%			Perma Link
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	ReversingLabs: Detection: 45%

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 35.2.WerFault.exe.5570000.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.WerFault.exe.51c0000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 20.2.WerFault.exe.4da0000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 26.2.WerFault.exe.4b50000.14.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 29.2.WerFault.exe.5280000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 23.2.WerFault.exe.4c10000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.WerFault.exe.5830000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.WerFault.exe.4b40000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.WerFault.exe.4b70000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 32.2.WerFault.exe.4d00000.6.unpack	Avira: Label: TR/Patched.Ren.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,LdrInitializeThunk,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	0_2_004245C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00424796 lstrlenW,lstrlenW,LdrInitializeThunk,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	0_2_00424796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,CryptUnprotectData,	0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040C9A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,LdrInitializeThunk,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	0_2_0040C9A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040AEC3 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,	0_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040B8C4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,LdrInitializeThunk,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	0_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	0_2_0040A1F6

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.5:49716 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: fltLib.pdb3 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb? source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb= source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb?%h source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ktmw32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb- source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdbcu source: WerFault.exe, 0000000B.00000003.282325812.000000000488F000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb1 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb-%v source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.404921233.0000000002332000.00000004.00000010.sdmp
Source:	Binary string: ws2_32.pdbw source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbw source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbW source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbI source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbgJ source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbq source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbA source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbq source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbu source: WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbw source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb.D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbW source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb: source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb#%\| source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb? source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbe source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbA source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbI source: WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb"D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb9 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbm source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbaR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb:D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbK source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb9%b source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbr source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb9 source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb< source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb'c source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbG source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbf source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbN source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbC source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb# source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb! source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb$D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbo source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdbM source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5%n source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbO source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb7 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb1 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbWR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbD source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbC source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb] source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb+ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb/ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.231379892.00000000053DC000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278482644.000000000488F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.318627812.000000000478C000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdbH source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb) source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb[ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.264539646.0000000002920000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.277504220.000000000293C000.00000004.00000001.sdmp
Source:	Binary string: webio.pdbe source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb} source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbc source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb; source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbq source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbW source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb<D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbJ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb% source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbM source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb! source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbU source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbydu source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,		0_2_0043E387

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: tttttt.me

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0_dllZM
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0dy
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0e__
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0ueryeM
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wi
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0_vL
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown	HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.5:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004266C0 GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,LdrInitializeThunk,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

0_2_004266C0

E-Banking Fraud:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A7BA	0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042495F	0_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042693B	0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040C9A1	0_2_0040C9A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040AEC3	0_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0041AE8D	0_2_0041AE8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043D521	0_2_0043D521
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040D5AD	0_2_0040D5AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040B8C4	0_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040DC7B	0_2_0040DC7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00413FD7	0_2_00413FD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0045A249	0_2_0045A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0044824A	0_2_0044824A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0044A210	0_2_0044A210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0045A369	0_2_0045A369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0041A4E6	0_2_0041A4E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004644EB	0_2_004644EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004144A8	0_2_004144A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042865E	0_2_0042865E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004187C0	0_2_004187C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00412930	0_2_00412930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043C990	0_2_0043C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00436ACF	0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00414B7F	0_2_00414B7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00442BF0	0_2_00442BF0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 004102CD appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 0044EE89 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 0043FC0D appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 004677E0 appears 90 times

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760

PE file contains more sections than normal

Source: sqlite3.dll.0.dr

Static PE information: Number of sections : 18 > 10

PE file contains strange resources

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506161351.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506026021.0000000000BF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506200301.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506232911.0000000000CB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@11/46@3/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00438121 LdrInitializeThunk,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,LdrInitializeThunk,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,

0_2_00438121

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0042488A CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_0042488A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5080

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER231.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Virustotal: Detection: 39%
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 780
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 776
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 984
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1196
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 724
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1268
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1316
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 964

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: fltLib.pdb3 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb? source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb= source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb?%h source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ktmw32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb- source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdbcu source: WerFault.exe, 0000000B.00000003.282325812.000000000488F000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb1 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb-%v source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.404921233.0000000002332000.00000004.00000010.sdmp
Source:	Binary string: ws2_32.pdbw source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbw source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbW source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbI source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbgJ source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbq source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbA source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbq source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbu source: WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbw source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb.D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbW source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb: source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb#%\| source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb? source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbe source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbA source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbI source: WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb"D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb9 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbm source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbaR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb:D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbK source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb9%b source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbr source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb9 source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb< source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb'c source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbG source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbf source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbN source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbC source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb# source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb! source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb$D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbo source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdbM source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5%n source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbO source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb7 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb1 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbWR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbD source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbC source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb] source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb+ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb/ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.231379892.00000000053DC000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278482644.000000000488F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.318627812.000000000478C000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdbH source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb) source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb[ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.264539646.0000000002920000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.277504220.000000000293C000.00000004.00000001.sdmp
Source:	Binary string: webio.pdbe source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb} source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbc source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb; source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbq source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbW source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb<D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbJ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb% source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbM source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb! source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbU source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbydu source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yodoje:W;.kemafuy:W;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

0_2_0042495F

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: section name: .yodoje
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: section name: .kemafuy
Source: sqlite3.dll.0.dr	Static PE information: section name: /4
Source: sqlite3.dll.0.dr	Static PE information: section name: /19
Source: sqlite3.dll.0.dr	Static PE information: section name: /31
Source: sqlite3.dll.0.dr	Static PE information: section name: /45
Source: sqlite3.dll.0.dr	Static PE information: section name: /57
Source: sqlite3.dll.0.dr	Static PE information: section name: /70
Source: sqlite3.dll.0.dr	Static PE information: section name: /81
Source: sqlite3.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004400B4 push ecx; ret

0_2_004400C6

Source: initial sample

Static PE information: section name: .text entropy: 7.82132041146

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0041AE8D SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041AE8D

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe TID: 5788

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,		0_2_0043E387

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00436ACF _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_00436ACF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004083F2 LdrInitializeThunk,std::exception::exception,

0_2_004083F2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW,

0_2_0045C2E6

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042495F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00446991 mov eax, dword ptr fs:[00000030h]

0_2_00446991

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_0040A3FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004402A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004463B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00440406 SetUnhandledExceptionFilter,	0_2_00440406
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004405C8

HIPS / PFW / Operating System Protection Evasion:

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004400C8 cpuid

0_2_004400C8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,LdrInitializeThunk,LdrInitializeThunk,CreateThread,CreateThread,CreateThread,CreateThread,LdrInitializeThunk,LdrInitializeThunk,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,LdrInitializeThunk,LdrInitializeThunk,CoUninitialize,	0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00462121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: EnumSystemLocalesW,	0_2_00458367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_0046231C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: EnumSystemLocalesW,	0_2_004623C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	0_2_0046240E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	0_2_004624A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00462534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_00462787
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,LdrInitializeThunk,GetLocaleInfoW,GetACP,	0_2_004628AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_00458994
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,	0_2_004629B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00462A82

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00440470

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0042693B CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,LdrInitializeThunk,LdrInitializeThunk,CreateThread,CreateThread,CreateThread,CreateThread,LdrInitializeThunk,LdrInitializeThunk,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,LdrInitializeThunk,LdrInitializeThunk,CoUninitialize,

0_2_0042693B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004364C1 GetTimeZoneInformation,LdrInitializeThunk,std::ios_base::_Ios_base_dtor,

0_2_004364C1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042495F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.216.186.40	unknown	Germany	24940	HETZNER-ASDE	false
104.21.50.15	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.199.58	unknown	United States	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
tttttt.me	95.216.186.40	true
yearofthepig.top	172.67.199.58	true

AV Detection:

Multi AV Scanner detection for domain / URL

Source: yearofthepig.top

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Virustotal: Detection: 39%			Perma Link
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	ReversingLabs: Detection: 45%

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 35.2.WerFault.exe.5570000.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.WerFault.exe.51c0000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 20.2.WerFault.exe.4da0000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 26.2.WerFault.exe.4b50000.14.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 29.2.WerFault.exe.5280000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 23.2.WerFault.exe.4c10000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.WerFault.exe.5830000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.WerFault.exe.4b40000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.WerFault.exe.4b70000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 32.2.WerFault.exe.4d00000.6.unpack	Avira: Label: TR/Patched.Ren.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,LdrInitializeThunk,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	0_2_004245C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00424796 lstrlenW,lstrlenW,LdrInitializeThunk,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	0_2_00424796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,CryptUnprotectData,	0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040C9A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,LdrInitializeThunk,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	0_2_0040C9A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040AEC3 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,	0_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040B8C4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,LdrInitializeThunk,LdrInitializeThunk,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	0_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	0_2_0040A1F6

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.5:49716 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: fltLib.pdb3 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb? source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb= source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb?%h source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ktmw32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb- source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdbcu source: WerFault.exe, 0000000B.00000003.282325812.000000000488F000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb1 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb-%v source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.404921233.0000000002332000.00000004.00000010.sdmp
Source:	Binary string: ws2_32.pdbw source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbw source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbW source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbI source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbgJ source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbq source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbA source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbq source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbu source: WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbw source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb.D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbW source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb: source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb#%\| source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb? source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbe source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbA source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbI source: WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb"D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb9 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbm source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbaR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb:D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbK source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb9%b source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbr source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb9 source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb< source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb'c source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbG source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbf source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbN source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbC source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb# source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb! source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb$D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbo source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdbM source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5%n source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbO source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb7 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb1 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbWR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbD source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbC source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb] source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb+ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb/ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.231379892.00000000053DC000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278482644.000000000488F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.318627812.000000000478C000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdbH source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb) source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb[ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.264539646.0000000002920000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.277504220.000000000293C000.00000004.00000001.sdmp
Source:	Binary string: webio.pdbe source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb} source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbc source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb; source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbq source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbW source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb<D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbJ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb% source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbM source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb! source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbU source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbydu source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,		0_2_0043E387

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: tttttt.me

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518113700.000000004C230000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518260751.000000004C2A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0_dllZM
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0dy
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0e__
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0ueryeM
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wi
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.491078139.000000004C231000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0_vL
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000003.409373339.000000004C24A000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown	HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.5:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_004266C0

E-Banking Fraud:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040A7BA	0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042495F	0_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042693B	0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040C9A1	0_2_0040C9A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040AEC3	0_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0041AE8D	0_2_0041AE8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043D521	0_2_0043D521
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040D5AD	0_2_0040D5AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040B8C4	0_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0040DC7B	0_2_0040DC7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00413FD7	0_2_00413FD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0045A249	0_2_0045A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0044824A	0_2_0044824A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0044A210	0_2_0044A210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0045A369	0_2_0045A369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0041A4E6	0_2_0041A4E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004644EB	0_2_004644EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004144A8	0_2_004144A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0042865E	0_2_0042865E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004187C0	0_2_004187C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00412930	0_2_00412930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043C990	0_2_0043C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00436ACF	0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00414B7F	0_2_00414B7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00442BF0	0_2_00442BF0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 004102CD appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 0044EE89 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 0043FC0D appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: String function: 004677E0 appears 90 times

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760

PE file contains more sections than normal

Source: sqlite3.dll.0.dr

Static PE information: Number of sections : 18 > 10

PE file contains strange resources

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506161351.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506026021.0000000000BF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506200301.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506232911.0000000000CB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@11/46@3/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_00438121

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0042488A CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_0042488A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5080

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER231.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Virustotal: Detection: 39%
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 780
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 776
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 984
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1196
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 724
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1268
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1316
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 964

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: fltLib.pdb3 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb? source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb= source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb?%h source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ktmw32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb- source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdbcu source: WerFault.exe, 0000000B.00000003.282325812.000000000488F000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb1 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb-%v source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.404921233.0000000002332000.00000004.00000010.sdmp
Source:	Binary string: ws2_32.pdbw source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbw source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbW source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbI source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbgJ source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbq source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbA source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbq source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbu source: WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbw source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb.D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbW source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb: source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb#%\| source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb? source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbe source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbA source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbI source: WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb"D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb9 source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbm source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbaR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb:D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbK source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb9%b source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbr source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb9 source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb< source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000003.00000003.235253390.0000000005812000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305142521.0000000004D82000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb'c source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbG source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbf source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbN source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbC source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb# source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb! source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbJ source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268391034.0000000004C66000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282634329.0000000004BE6000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425556004.0000000005458000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb$D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbo source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdbM source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb5%n source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbO source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb7 source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb1 source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbWR source: WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbD source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbC source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb] source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb+ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb/ source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.231379892.00000000053DC000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278482644.000000000488F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.318627812.000000000478C000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdbH source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb) source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb[ source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.231387583.00000000034DF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.264539646.0000000002920000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.277504220.000000000293C000.00000004.00000001.sdmp
Source:	Binary string: webio.pdbe source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb} source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbc source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb; source: WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.235287111.0000000005815000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250493943.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268347704.0000000004C62000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282356924.0000000004BE2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305406396.0000000004D86000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325132272.0000000004CD2000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350740368.00000000049E1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.371701639.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.398096900.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.425355601.0000000005452000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbq source: WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdbW source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb<D source: WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbJ source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb% source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbM source: WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.235282719.0000000005810000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250520457.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268384446.0000000004C60000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282622487.0000000004BE0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305382541.0000000004D80000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325268096.0000000004CD0000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425541698.0000000005450000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb! source: WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbU source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbydu source: WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.235233643.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.250476468.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.268334390.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282462854.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.305249633.0000000004C11000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.325190194.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.350839595.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371822945.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398217948.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425443165.0000000005481000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.235263090.0000000005818000.00000004.00000040.sdmp, WerFault.exe, 00000006.00000003.250499870.00000000051A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.268398330.0000000004C69000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.282495315.0000000004BE9000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.305428637.0000000004D89000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.325148264.0000000004CD9000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.350666037.0000000004B37000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.371639824.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.398018831.0000000004DB8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.425380083.000000000545B000.00000004.00000040.sdmp

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yodoje:W;.kemafuy:W;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042495F

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: section name: .yodoje
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Static PE information: section name: .kemafuy
Source: sqlite3.dll.0.dr	Static PE information: section name: /4
Source: sqlite3.dll.0.dr	Static PE information: section name: /19
Source: sqlite3.dll.0.dr	Static PE information: section name: /31
Source: sqlite3.dll.0.dr	Static PE information: section name: /45
Source: sqlite3.dll.0.dr	Static PE information: section name: /57
Source: sqlite3.dll.0.dr	Static PE information: section name: /70
Source: sqlite3.dll.0.dr	Static PE information: section name: /81
Source: sqlite3.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004400B4 push ecx; ret

0_2_004400C6

Source: initial sample

Static PE information: section name: .text entropy: 7.82132041146

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0041AE8D

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe TID: 5788

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,		0_2_0043E387

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_00436ACF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.518373350.000000004C330000.00000002.00000001.sdmp, WerFault.exe, 00000003.00000002.241400819.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.256676281.0000000005250000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.273258271.0000000004CF0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.288669500.00000000048C0000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.313093220.0000000004E30000.00000002.00000001.sdmp, WerFault.exe, 00000017.00000002.331531002.0000000004990000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.357649090.0000000004750000.00000002.00000001.sdmp, WerFault.exe, 0000001D.00000002.383795740.0000000005380000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.406817047.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.432959118.0000000005130000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004083F2 LdrInitializeThunk,std::exception::exception,

0_2_004083F2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW,

0_2_0045C2E6

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042495F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00446991 mov eax, dword ptr fs:[00000030h]

0_2_00446991

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_0040A3FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004402A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004463B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_00440406 SetUnhandledExceptionFilter,	0_2_00440406
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: 0_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004405C8

HIPS / PFW / Operating System Protection Evasion:

Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000000.00000002.506365519.0000000001280000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004400C8 cpuid

0_2_004400C8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,LdrInitializeThunk,LdrInitializeThunk,CreateThread,CreateThread,CreateThread,CreateThread,LdrInitializeThunk,LdrInitializeThunk,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,LdrInitializeThunk,LdrInitializeThunk,CoUninitialize,	0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00462121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: EnumSystemLocalesW,	0_2_00458367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_0046231C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: EnumSystemLocalesW,	0_2_004623C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	0_2_0046240E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	0_2_004624A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00462534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_00462787
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,LdrInitializeThunk,GetLocaleInfoW,GetACP,	0_2_004628AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetLocaleInfoW,	0_2_00458994
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,	0_2_004629B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00462A82

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00440470

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042693B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Code function: 0_2_004364C1 GetTimeZoneInformation,LdrInitializeThunk,std::ios_base::_Ios_base_dtor,

0_2_004364C1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

0_2_0042495F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 5080, type: MEMORY

ID:	356541
Product:	CloudBasic
Start time:	09:49:09
Start date:	23.02.2021
Sample:	SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	060bd14ae501d8dae94cc73672ab195b
SHA1:	e16be2044b73bfb717d92d13968eac473d64b8fc
SHA256:	757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_04e738ec\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	597DCBFC93F6BE50B607CB16E7E07C9B	389BF1D5020AC76E04A95D2D93F11A38249EA5DF	1862AAA1E3A4FC479C75E42AA6F87A3B0EA2644D0AD8775FFD146374A13EFD2F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_0546b276\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	538F8A5DA24B91AFE95E81E736B4E15D	7BB4C03FBC5AE7E7F3FEFDB22692CD5A4CFB2ED4	4A6FEA51EB10BDF810374308DF044FF02DF32E8B949B15F9BEFEA906EAA17118
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_10a2490e\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	9421D0EC1CB3D8FD8FE8A3A785D9B8F0	60E9FA3FE37D8402D4AB0E7FB5180E388DF7625F	4E8D8517097AE3A185D7402DFEE923977CAB25CEA3B02F5704977D9ECF0A4E92
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_132e8fac\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E3CEBD6D897487541036E9767D23A52A	A73DE99B608C96D9EE6CCADBF947F40E3E39C8BD	B48B2A84F002D8D53302D57753BE2FA2F12BAE2DF12A8752079A075D4B69C939
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_14676a5c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	09C3BD8DB03250EE54092F7E455938ED	452C2D785EA9373BF69D61D78402802574EEC69B	28D5DD793A4925CF7BB0F15835A0C316F200D053EB0A8E9BC117FD920F5548AE
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_152ee212\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	617CD2F62E85C2D7FE0533F0CFACAD2B	7C2E81084AE50EB62FB0425B21F0D13F9767AF37	7A48D4F48771D64F25A8880815761FF39EC52F1B3378C1D346CF885B5A2E9724
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_169664b4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E167539260588E12AD95875AA8705407	5225083DE2A74EF5047655989505ED43D3129F73	D507B3C7AB59168EC93910761B7439CAAE0B099ADCEA462EF5704FB139EFE7A5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_17020d1e\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A1B72E44326BA108B89C133B13D9A513	56C71A688E36A27F8CD9C933403D867B7B42A7A9	4632367363E65BCEE8D2FDC699017940856FF7BC041C71486B3722D72D2FB8E5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_176f0ba2\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	682A08DD25F9AC692347DC72729CDA04	70E9E3B42EC2AC5F620135F3CE065105A990967B	0FEC8DDF235B0DB903699316B8659B363A4401135A12B5EB5FAA576B1A123463
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9fe727ffec23a1e62b3316da7384a08015d607f_bd6d4f40_17e228f3\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	51D30B9990069F95C9B1BAEA285EA7B8	6B524010D2E679495968DB18DDD26D436B4B665A	8EF2F96BF19A95F27EF8EDB6C6DF171BAB94166094D122FB2B9C1A29E785E9ED
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F00.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:10 2021, 0x1205a4 type	27161BB34C114927E1B92C22458CD414	866F8C10712BBF26B67FB3387E5B860D1C014B5D	7657EA3E19B569314A57196496253DF1D8B9D755D6B262BCD72D98E9A93EBA8F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER231.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:03 2021, 0x1205a4 type	9715393B4AD261A974CE8E70FFD25874	C81857D2060B386064A3DC37C5A7D670A8381669	0772B8DD03DB02AE260A93DD4A22ED357717749252027A409EDCE0EBD48005BA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2376.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	64DF1AE4ED771CE215E1A01D724AE540	5A49585BF1C87010694C08E62A25142B92E21696	88A14162B9FE0DDFE7E3D73C1AC5574896AE92C30EC632E88FD56476581102CA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24D7.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:51:19 2021, 0x1205a4 type	419EB4A71B076EDC85D234F15BB34CC5	E6D114CCB443B17F8E339EEF32F0DE00091C23DE	225B8B63A4A5CA0C013CBBB14156395ECFB9DAA0C73D8D6EDCA0C6B7662E9F30
C:\ProgramData\Microsoft\Windows\WER\Temp\WER257A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	78EAB0A29A3A37D1108E02286A940BEF	A0361F3D324B170A12050412DD8C932886879E37	FD51DDC90CF04A6EA417918368BB2DF7070483B3B411876A23B19ACE6EF956F7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30EE.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	649AA8088DB62673929949731DC74EAB	3DD1A4C26E1069D121E0B69A08DB9181B3DB2B59	EED886C0669439CBD7A91D1D98CE8FCE5C4D49E06C077E2BEC158ACD46423E78
C:\ProgramData\Microsoft\Windows\WER\Temp\WER34D7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0E031784BED5100403EDCCC0AAFF0577	3F5DA57DBCEA5A1C66B47FC2AC40BB3549BDC70B	2105813D428049E0340270FD7DDAD0BFA00B6A8B1AE55B6180FA15FE4DDB61B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EDC.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:19 2021, 0x1205a4 type	A6966904A641364CA65F27EE6429D4A4	45737B37306E278BFF8226D1515E3690CD487CCB	34EF6ABCA97C3305B7C4D80EC9BABA8F28B0F381188029A0FBDC204115EB6628
C:\ProgramData\Microsoft\Windows\WER\Temp\WER442D.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	436AB7C0DDC59DB6EE221DC1CAA48F00	6B217CD578C5CD9736177846C9DBC52846531FE0	AE85F1A982674052E09F7520E795E20F04A6BB57D98218EEADA2842247345711
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45F3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C8E437ED4F0262796CB2A2F2F3771B70	8C00282D5E498978A1A2AA8957DE643ABCDB2DE7	A61700E3541EACD444415C411C90206308466FBA38DC0F5D916D15AB084124A4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	44935C9B728A8828F926C7E8F2B8F338	773626463673E71918A86BE3FF1906B131D1B91B	C842675C9D9427048A957F90C54CE46FE2154ECD16128F636F4C754E044275DB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F72.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:51:32 2021, 0x1205a4 type	62125AC02115E55502246B77A60A0F89	C975DB7E93531156833F886EA3B091F08FF79C40	B1BA58650FFD1A02FA28CEC6F49BF02B0817AC5F3C7773988CE074CB1BC86903
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5737.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:25 2021, 0x1205a4 type	50AE0C4A608C11E166F470520149C3D1	B73834F1088352BF4616923C38C90BE62A2FD166	EB3E98439AF1F3F46346BACD56D1107B075037BE8E548EE68A3A03CAE051DAB3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E0E.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	82B2DB1FA700DAF321234CE9193EB55E	C0DAB4464D2C87D4F2E4FFE9CF7D3CB47FC153D2	FCE19899AD3A3B7AEE0BA2C86DA41E03F2E02F76A187DBD6F72CCC16BF3B3143
C:\ProgramData\Microsoft\Windows\WER\Temp\WER60FD.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	841DAF875D44F7A68B17682CE450E45C	A5A27F239E1C16E9D2527C9B616D63511B4DE268	C2BAF3C8519CCAACBC4CDA9C80FE47655CC9612D72B770F275961664C4E7366E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62BC.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	2F67F3949F04BE621AF88007471F3891	C823C4845C13319B5E1DF90D75AD06DE3FA9157C	40AF33D595445CAC8265A053371839C4C25A124F040B2C3AF636634E77CA04CD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66A5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	11D21AF40F800F7E1B41807CD8C8AF43	C01FC2BB9B87FA57E5A50BE4AA153A73173B47FB	49B5D7B7CF05ECC3D331085502851B5F6F294496A95B95DADC157599944D9449
C:\ProgramData\Microsoft\Windows\WER\Temp\WER789A.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:36 2021, 0x1205a4 type	36A912E187CDC15AF367921784CA553A	BCF4F94E9E434F8AC0332F7D8DB2FEC88EB220F1	DA0F17F72737ED48CFEFE57C5283A037D0414606125784FC7577FE61EC1DB87C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D02610F74CBB2576CE7C19EAC35BF729	9C2335DDC39CD9F182428F46D93F40D087190DA7	9A3EDD0DFBD9D36F74A706B74C83E59544C73916B70B2F0D962D43C0D04BD5C9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER87AE.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E2FD312F9C9C694BFA91ADE8A8B6A69B	2C57BC32523C8632A6D3A5AEBBCFBB66E2D20CC6	803BDF75D7CBEC7113D72AF0FD2ED7C3C064EFCD95564CE726647B0BCBF9FAE9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B2A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1FC60FD0B5CEF9782AB591A5C98380CB	D8D5B65A196D3CB9B56B5648FD7A0FD05C5494F0	91BFBD5D8CD5454A0E257FAC81CEBD22970C3AC2E531F8109EA6AD2B230F9899
C:\ProgramData\Microsoft\Windows\WER\Temp\WER967.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	965C08690E7D0F68A64E546B6846A47D	1F318A87353695B9198D01FF3BEF1A2E0FCCF0F3	3D58BA0F09AB3350A15DB0C0788F755E1B5BBB52D2C52FC652B408120A8CF5BC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA23A.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:45 2021, 0x1205a4 type	D6A6BC46C3493B1B0760174C2917071D	DF3E69B3DFC01C9147CA2F8AAA4B3D46EB3D28AE	6C23D00F8F4DF3D9504BE4655553B4617020A5B21B0D28B8A97EDA90586FD5F8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERABD0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0045D1C5BA8D37ED4921204F242C4B25	019869A1DBDD2DCABC7460FDF704B47F50E2F8BD	9A5FFB7F6778FF0B445F8A38BE87EE5F7D6FFA65BE5FCDA2B2D8EE0D8E344849
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF2C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4543A0727CD705C19CB7A7E66CB7137E	8B4CEA62914AE8284D8C9856ABE5F33F37871CD1	977EFF7C891560E65AF3A26BAA442ECE4426DF78F364B69851CD1D096E66C8F1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	3D5A1690F46DC08A2C7962632787AA40	A1A89FD2F69F83C013A4E5B644412D752AC60EF4	56D38BF0B0F582E18DEF7887FEEDDEDA051BC59943915ED6EBFDC04A641B76C3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF16.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:50:57 2021, 0x1205a4 type	628C1E61AA7333735A2D0EEB3C1F774E	D0F69E0F6E8F5ECDF668268231AB92577B27FD10	D8FAD5E2CDE381A02D1CFC0AC965A27C6B1C5673640491454B50D6737697D2E3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	FD8075D61119F4307DB3A2E2FBEE0DC4	BC6DFEEC18F473AB7A2160BD58B816E56D27AB7D	A879A157EBF6638AAD219E0A591988B76DF69010286E32D4D677370D291E5D12
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE2C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DC1F7AB1D29CB0415093F7FF25C5E073	0FD48627C525FA83051209319CA8CE8A1E066B75	EAE1EF1F04C99FDFB5C1056CCB56C683AB93C19FA6B1E66C8384726C75D167D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C8.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Feb 23 17:51:07 2021, 0x1205a4 type	1DF4C1DCD122045F6440BCC60BC4C372	703557B537614AF9EE1D86F02142448083C1E1AF	5EB364E8862E42900C2898B8C3E3A5DDC3285A1FF82E47B1C86F3A2F9A6BCF05
C:\Users\user\AppData\LocalLow\1xVPfvJcrg	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\LocalLow\3v08oN27yL	SQLite 3.x database, last written using SQLite version 3032001	8D1E4EF2C47505BE17244F97D8591000	09EC63BD44834AC76F888D87C0A358532665D8B6	A395EB3FFB419984F33F2AC9EE04A6257730A4600580812A5518957F50BB6D88
C:\Users\user\AppData\LocalLow\RYwTiizs2t	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\LocalLow\frAQBc8Wsa	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\LocalLow\rQF69AzBla	SQLite 3.x database, last written using SQLite version 3032001	3806E8153A55C1A2DA0B09461A9C882A	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
C:\Users\user\AppData\LocalLow\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F964811B68F9F1487C2B41E1AEF576CE	B423959793F14B1416BC3B7051BED58A1034025F	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7

Analysis Report SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains