Analysis Report SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Analysis ID: 356541
MD5: 060bd14ae501d8dae94cc73672ab195b
SHA1: e16be2044b73bfb717d92d13968eac473d64b8fc
SHA256: 757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0

Most interesting Screenshot:

Detection

Raccoon
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Virustotal: Detection: 39% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe ReversingLabs: Detection: 45%
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 7140, type: MEMORY
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.WerFault.exe.4dd0000.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.WerFault.exe.4b00000.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.WerFault.exe.5af0000.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.WerFault.exe.5500000.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.WerFault.exe.53f0000.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.WerFault.exe.5080000.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 38.2.WerFault.exe.5890000.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.WerFault.exe.4980000.7.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 2_2_004245C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00424796 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 2_2_00424796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 2_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040CBD7 wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 2_2_0040CBD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040AEC3 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 2_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040B8C4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 2_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 2_2_0040A1F6

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Unpacked PE file: 2.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.6:49773 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbB source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb) source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb- source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb9 source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb?): source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb\t source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.336559037.00000000009AF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.387887625.0000000000A3D000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.413748907.0000000000DEC000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdba source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbS source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb9)< source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.342466709.0000000004BD2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422145190.0000000002F72000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb? source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbn source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb. source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667327807.000000006F409000.00000002.00020000.sdmp
Source: Binary string: bcrypt.pdb5 source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.2.dr
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb} source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbp{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: combase.pdbB{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb0K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdbs source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb# source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdbE source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdbs source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbtt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdblK0 source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: userenv.pdby source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: nsi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbs source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667327807.000000006F409000.00000002.00020000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdbN source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb<K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbG source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb| source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: shlwapi.pdbP source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdb3)6 source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbE source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb[ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbH source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbGs source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbV source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbw source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.2.dr
Source: Binary string: profapi.pdbV source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbj{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.2.dr
Source: Binary string: winhttp.pdbU source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000006.00000003.342466709.0000000004BD2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422145190.0000000002F72000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb_ source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbVt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbnt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdbBK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627922903.000000004C445000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: profapi.pdbD{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb_ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb6K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbI source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbH source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb& source: WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb!)$ source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb')" source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.2.dr
Source: Binary string: shlwapi.pdbf{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbt source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbR source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdbQ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbH{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbzt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbB source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbk source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb" source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbPt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdbK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbl{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000006.00000003.337190250.000000000484E000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.352500645.0000000000DDB000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.372455582.0000000004F9C000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.389344848.00000000049DE000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.436092063.000000000551B000.00000004.00000001.sdmp
Source: Binary string: msvcr100.i386.pdb! source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbZ source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.2.dr
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.336559037.00000000009AF000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.387887625.0000000000A3D000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.413748907.0000000000DEC000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb# source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbrK> source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbHK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbm source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb-)( source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb% source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbW source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.2.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbJt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: webio.pdbx source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: webio.pdbk source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb` source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb\ source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbht source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbj source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb" source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb~{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: webio.pdbI source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbr source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbbt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbg source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbSs source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source: Binary string: fltLib.pdbV{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbO source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbZK& source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb\ source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb2 source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 2_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 2_2_0043E387
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00434FF1 GetLogicalDriveStringsA, 2_2_00434FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: iplogger.org
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 09:04:52 GMTContent-Type: application/octet-streamContent-Length: 2815200Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Tue, 23 Feb 2021 08:47:08 GMTETag: "2af4e0-5bbfcf6a9b9cb"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1e f7 32 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 50 00 00 00 08 00 00 00 00 00 00 58 e0 48 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 73 00 00 04 00 00 74 3a 2b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3a c0 00 00 50 00 00 00 00 e0 00 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 be 2a 00 e0 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 00 60 00 00 00 20 00 00 00 2a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 e8 05 00 00 00 80 00 00 00 04 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 0c 00 00 00 00 a0 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 00 00 00 20 00 00 00 c0 00 00 00 02 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 20 00 00 00 e0 00 00 00 06 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 68 65 6d 69 64 61 00 e0 47 00 00 00 01 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 e0 2e 62 6f 6f 74 00 00 00 00 82 2a 00 00 e0 48 00 00 82 2a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /miner_scrooges.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.103.94.2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.216.186.40 95.216.186.40
Source: Joe Sandbox View IP Address: 104.21.50.15 104.21.50.15
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: global traffic HTTP traffic detected: GET /miner_scrooges.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.103.94.2
Source: unknown DNS traffic detected: queries for: tttttt.me
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://94.103.94.2/miner_scrooges.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://94.103.94.2/miner_scrooges.exe201d
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp, XObEdOuQjV.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp, XObEdOuQjV.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp, XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.644981059.0000000000C3B000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.cr
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.644981059.0000000000C3B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: nss3.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp, XObEdOuQjV.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp, XObEdOuQjV.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0P
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0#
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667327807.000000006F409000.00000002.00020000.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627962588.000000004C45A000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: http://www.mozilla.com0
Source: sqlite3.dll.2.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663596917.0000000000BA2000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.628092792.0000000000C31000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663634418.0000000000BC6000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: RYwTiizs2t.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: RYwTiizs2t.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.628016845.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: XObEdOuQjV.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: RYwTiizs2t.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594407583.0000000000BE0000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.529969412.0000000000C1E000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: RYwTiizs2t.2.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.2.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.538593530.0000000000C04000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.529911532.0000000000C31000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.538593530.0000000000C04000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.529911532.0000000000C31000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://tlgr.org/img/t_logo.png
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663596917.0000000000BA2000.00000004.00000001.sdmp String found in binary or memory: https://tttttt.me/h_scroogenews_1
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.644981059.0000000000C3B000.00000004.00000001.sdmp, nss3.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: RYwTiizs2t.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.644887582.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top/
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594468632.0000000000BC6000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top//l/f/lxwhzncBuI_ccNKoCuGJ/b7b57553476201d30df84e5e9cd9e955ae47aaaf
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top//l/f/lxwhzncBuI_ccNKoCuGJ/ff3e513855a6f44e51c42364424f5f0065547d18
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.628016845.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top//l/f/lxwhzncBuI_ccNKoCuGJ/ff3e513855a6f44e51c42364424f5f0065547d181
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.644887582.0000000000BD3000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top/M
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top/P
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: https://yearofthepig.top/error.php
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 95.216.186.40:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.50.15:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.6:49773 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004266C0 GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 2_2_004266C0

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 7140, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0041A4E6 2_2_0041A4E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00436680 2_2_00436680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040A7BA 2_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042495F 2_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042693B 2_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00436ACF 2_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040AEC3 2_2_0040AEC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0041AE8D 2_2_0041AE8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00435576 2_2_00435576
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043D521 2_2_0043D521
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040D5AD 2_2_0040D5AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0041B83F 2_2_0041B83F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040B8C4 2_2_0040B8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040DC7B 2_2_0040DC7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00413FD7 2_2_00413FD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0045A249 2_2_0045A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0044824A 2_2_0044824A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0044A210 2_2_0044A210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0045A369 2_2_0045A369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004644EB 2_2_004644EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004144A8 2_2_004144A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042865E 2_2_0042865E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004187C0 2_2_004187C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00412930 2_2_00412930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004889E8 2_2_004889E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043C990 2_2_0043C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00414B7F 2_2_00414B7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00442BF0 2_2_00442BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0045CD9E 2_2_0045CD9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00419003 2_2_00419003
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0044D028 2_2_0044D028
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: String function: 0044EE89 appears 50 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: String function: 00440070 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: String function: 004677E0 appears 114 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 764
PE file contains more sections than normal
Source: sqlite3.dll.2.dr Static PE information: Number of sections : 18 > 10
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627922903.000000004C445000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667229852.000000006E40B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667387034.000000006F412000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665158573.0000000003360000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665158573.0000000003360000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.664917070.0000000003260000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665458280.000000004B9C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@11/101@6/4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00438121 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW, 2_2_00438121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042488A CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 2_2_0042488A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuengi(
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\Local\Temp\XObEdOuQjV.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.2.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Virustotal: Detection: 39%
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe ReversingLabs: Detection: 45%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 764
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 764
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 908
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 880
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 952
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1200
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1340
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1316
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbB source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb) source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb- source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb9 source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb?): source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb\t source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.336559037.00000000009AF000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.387887625.0000000000A3D000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.413748907.0000000000DEC000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdba source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbS source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb9)< source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.342466709.0000000004BD2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422145190.0000000002F72000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb? source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbn source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb. source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667327807.000000006F409000.00000002.00020000.sdmp
Source: Binary string: bcrypt.pdb5 source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.2.dr
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb} source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbp{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: combase.pdbB{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb0K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdbs source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb# source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdbE source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdbs source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbtt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdblK0 source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: userenv.pdby source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: nsi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbs source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667327807.000000006F409000.00000002.00020000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdbN source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb<K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbG source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb| source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: shlwapi.pdbP source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdb3)6 source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbE source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb[ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbH source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbGs source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbV source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbw source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.2.dr
Source: Binary string: profapi.pdbV source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbj{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.2.dr
Source: Binary string: winhttp.pdbU source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000006.00000003.342466709.0000000004BD2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377466481.00000000053D2000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393356164.0000000004DB2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422145190.0000000002F72000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb_ source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbVt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbnt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdbBK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.667121075.000000006E3D0000.00000002.00020000.sdmp, nss3.dll.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.627922903.000000004C445000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: profapi.pdbD{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb% source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb_ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb6K source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbI source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbH source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb& source: WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb!)$ source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb')" source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.2.dr
Source: Binary string: shlwapi.pdbf{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbt source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbR source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdbQ source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbH{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbzt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbB source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbk source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb" source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbPt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdbK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbl{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000006.00000003.337190250.000000000484E000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.352500645.0000000000DDB000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.372455582.0000000004F9C000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.389344848.00000000049DE000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.436092063.000000000551B000.00000004.00000001.sdmp
Source: Binary string: msvcr100.i386.pdb! source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbZ source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.2.dr
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.336559037.00000000009AF000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.387887625.0000000000A3D000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.413748907.0000000000DEC000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb# source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.342505805.0000000004BD5000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356525915.0000000004A32000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377546761.00000000053D6000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393459283.0000000004DB6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422301351.0000000002F76000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.450987054.0000000005AD6000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481443822.0000000005411000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.516983611.00000000059B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbrK> source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbHK source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbm source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb-)( source: WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb% source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbW source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.2.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbJt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: webio.pdbx source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: webio.pdbk source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb` source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb\ source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbht source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbj source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb" source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb~{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: webio.pdbI source: WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbr source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdbbt source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbg source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbSs source: WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.342501209.0000000004BD0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356583602.0000000004A30000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377530397.00000000053D0000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393530166.0000000004DB0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422389368.0000000002F70000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451142915.0000000005AD0000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source: Binary string: fltLib.pdbV{ source: WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbO source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbZK& source: WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.342444831.0000000004C01000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.356509570.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377439713.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.393439066.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.422252825.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.447587013.00000000059B1000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.481600057.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.517105427.0000000005980000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb\ source: WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb2 source: WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000006.00000003.342473459.0000000004BD8000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.356601334.0000000004A39000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.377481712.00000000053D9000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.393471888.0000000004DB9000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.422427244.0000000002F79000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.451009623.0000000005AD9000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.481336454.00000000053E8000.00000004.00000040.sdmp, WerFault.exe, 00000026.00000003.516879428.0000000005988000.00000004.00000040.sdmp
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Unpacked PE file: 2.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yodoje:W;.kemafuy:W;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Unpacked PE file: 2.2.SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 2_2_0042495F
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: section name: .yodoje
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Static PE information: section name: .kemafuy
Source: sqlite3.dll.2.dr Static PE information: section name: /4
Source: sqlite3.dll.2.dr Static PE information: section name: /19
Source: sqlite3.dll.2.dr Static PE information: section name: /31
Source: sqlite3.dll.2.dr Static PE information: section name: /45
Source: sqlite3.dll.2.dr Static PE information: section name: /57
Source: sqlite3.dll.2.dr Static PE information: section name: /70
Source: sqlite3.dll.2.dr Static PE information: section name: /81
Source: sqlite3.dll.2.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004400B4 push ecx; ret 2_2_004400C6
Source: initial sample Static PE information: section name: .text entropy: 7.82132041146

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\Local\Temp\XObEdOuQjV.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File created: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0041AE8D SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041AE8D
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\XObEdOuQjV.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\eE8sF0yG2eQ6fT7\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe TID: 4628 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe TID: 4628 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 2_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 2_2_0043E387
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00434FF1 GetLogicalDriveStringsA, 2_2_00434FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00436ACF _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 2_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.666658507.000000004C448000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oyj
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW.top
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665458280.000000004B9C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.347738651.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.363718301.0000000004600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.383041635.0000000004FD0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.404708845.0000000004ED0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.430405491.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.459675205.0000000005BF0000.00000002.00000001.sdmp, WerFault.exe, 00000022.00000002.499337639.00000000050E0000.00000002.00000001.sdmp, WerFault.exe, 00000026.00000002.525547289.0000000005610000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663680242.0000000000BD3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW4
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665458280.000000004B9C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.347738651.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.363718301.0000000004600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.383041635.0000000004FD0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.404708845.0000000004ED0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.430405491.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.459675205.0000000005BF0000.00000002.00000001.sdmp, WerFault.exe, 00000022.00000002.499337639.00000000050E0000.00000002.00000001.sdmp, WerFault.exe, 00000026.00000002.525547289.0000000005610000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665458280.000000004B9C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.347738651.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.363718301.0000000004600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.383041635.0000000004FD0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.404708845.0000000004ED0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.430405491.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.459675205.0000000005BF0000.00000002.00000001.sdmp, WerFault.exe, 00000022.00000002.499337639.00000000050E0000.00000002.00000001.sdmp, WerFault.exe, 00000026.00000002.525547289.0000000005610000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.663596917.0000000000BA2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWHm
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000002.665458280.000000004B9C0000.00000002.00000001.sdmp, WerFault.exe, 00000006.00000002.347738651.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.363718301.0000000004600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.383041635.0000000004FD0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.404708845.0000000004ED0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.430405491.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.459675205.0000000005BF0000.00000002.00000001.sdmp, WerFault.exe, 00000022.00000002.499337639.00000000050E0000.00000002.00000001.sdmp, WerFault.exe, 00000026.00000002.525547289.0000000005610000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW, 2_2_0045C2E6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 2_2_0042495F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00446991 mov eax, dword ptr fs:[00000030h] 2_2_00446991
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_0040A3FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004402A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004463B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00440406 SetUnhandledExceptionFilter, 2_2_00440406
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_004405C8

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Process created: unknown unknown Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004400C8 cpuid 2_2_004400C8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 2_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 2_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00462121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: EnumSystemLocalesW, 2_2_00458367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW, 2_2_0046231C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: EnumSystemLocalesW, 2_2_004623C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: EnumSystemLocalesW, 2_2_0046240E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: EnumSystemLocalesW, 2_2_004624A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00462534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW, 2_2_00462787
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_004628AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW, 2_2_00458994
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetLocaleInfoW, 2_2_004629B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00462A82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00440470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004364C1 GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 2_2_004364C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_004364C1 GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 2_2_004364C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Code function: 2_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 2_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 7140, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.530022308.0000000000BCD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storaget
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe, 00000002.00000003.594234001.0000000000BED000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum Wallet
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 7140, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe PID: 7140, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356541 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 23/02/2021 Architecture: WINDOWS Score: 92 28 pool.minexmr.com 2->28 30 iplogger.org 2->30 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Raccoon Stealer 2->40 42 May check the online IP address of the machine 2->42 44 2 other signatures 2->44 7 SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe 84 2->7         started        signatures3 process4 dnsIp5 32 94.103.94.2, 49774, 80 VDSINA-ASRU Russian Federation 7->32 34 tttttt.me 95.216.186.40, 443, 49736 HETZNER-ASDE Germany 7->34 36 2 other IPs or domains 7->36 20 C:\Users\user\AppData\...\XObEdOuQjV.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->22 dropped 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->24 dropped 26 57 other files (none is malicious) 7->26 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Tries to steal Mail credentials (via file access) 7->50 52 Tries to harvest and steal browser information (history, passwords, etc) 7->52 12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 WerFault.exe 9 7->16         started        18 5 other processes 7->18 file6 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.216.186.40
 unknown Germany
24940 HETZNER-ASDE false
104.21.50.15
 unknown United States
13335 CLOUDFLARENETUS false
172.67.199.58
 unknown United States
13335 CLOUDFLARENETUS false
94.103.94.2
 unknown Russian Federation
48282 VDSINA-ASRU false

Contacted Domains

Name IP Active
tttttt.me 95.216.186.40 true
yearofthepig.top 104.21.50.15 true
iplogger.org 88.99.66.31 true
pool.minexmr.com 51.254.84.37 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://94.103.94.2/miner_scrooges.exe false
  • Avira URL Cloud: safe
 unknown