Windows Analysis Report SecuriteInfo.com.Trojan.Loader.788.32290.4876

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Loader.788.32290.4876 (renamed file extension from 4876 to dll)
Analysis ID:	483796
MD5:	ab4dabb7296c60f618a8bba9ec194659
SHA1:	3a71cbe4e689eab68fb642bb94a4995102b03a9d
SHA256:	58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Creates a process in suspended mode (likely to inject code)

Checks if the current process is being debugged

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll	Virustotal: Detection: 42%			Perma Link
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll	ReversingLabs: Detection: 75%

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.251067720.000000000128B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 716

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll	Virustotal: Detection: 42%
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll	ReversingLabs: Detection: 75%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER598.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal56.winDLL@12/12@0/0

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 716
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 724
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 716
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1008
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2296
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3440

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_022BD61A pushad ; iretd	5_2_022BD621
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_027EC7F1 push ds; iretd	10_2_027EC7F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_027EC7C8 push ds; iretd	10_2_027EC7CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_027EBA30 push ss; iretd	10_2_027EBA32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_027EC11D push ss; iretd	10_2_027EC11E

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10001000 mov eax, dword ptr fs:[00000030h]

4_2_10001000

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000156C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_1000156C

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1

Jump to behavior

Source: rundll32.exe, 00000004.00000000.245977299.0000000003A30000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.246944622.0000000002DC0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.254428817.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000004.00000000.245977299.0000000003A30000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.246944622.0000000002DC0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.254428817.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000000.245977299.0000000003A30000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.246944622.0000000002DC0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.254428817.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000000.245977299.0000000003A30000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.246944622.0000000002DC0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.254428817.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	483796
Product:	CloudBasic
Start time:	13:52:25
Start date:	15.09.2021
Sample:	SecuriteInfo.com.Trojan.Loader.788.32290.4876
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ab4dabb7296c60f618a8bba9ec194659
SHA1:	3a71cbe4e689eab68fb642bb94a4995102b03a9d
SHA256:	58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_035c146d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	86BD6549A7E27119E4A3E9DDF4A977B7	8CEEA87A087935532EF6FE002D08C88EB5DAC39E	353D6E6BF581AE9EBC69F8FF3407232DCECBC4E76A014765324702A9E832B4AA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_07680eef\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	FF49F91FF9717087EC08F0DCDA859EA3	3E30A9E01C88CC8F07D9BEF114468C33AB79CE72	F05D1D14B55BE37B5657EF2B7343683FA70F6E2D10D24770D4C7EB865BDB3C4D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_14f41a2a\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E901566F9DEFF5EB99704D6C0D368A45	296E07F22C1CF49446AF6C6751A28A27F655B789	C5B61422644920ED8A2FD877283BD9017266B8CA87B3089E2AD0C5AA39C5B58D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1355.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	80F1D885C49D9C1EC8A669A5B64AFF0B	62389C2AB6262E29AE4D081F33D3E8F7C70074FD	B8DFE63CAAF170279CBE2343571827B37FF21B1026B109938080F2CB089CD902
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14EC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DF2EBAC1356D5234DBF6BFFEEB831E79	9D4F889F3E18EBA9A3CBF114729448EC223254E4	78F21DD61CD2CAB39F9E04F62B56FD812B44E38B6A08007C6D25C1060E17D679
C:\ProgramData\Microsoft\Windows\WER\Temp\WER598.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Sep 15 20:53:36 2021, 0x1205a4 type	B67508136C326CB677E34B3AAC0F2E3E	9C79D30CF3675FAEC5EE7FC81112DE254C0B136C	4D89A57A9B56A60326412F3212205D0E389B6BAB6E99CFCDAA0FED0CA9CB4EFD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER682.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Sep 15 20:53:36 2021, 0x1205a4 type	80CAE7E73B80D05DA2C3A26C20BB81E2	26AC82249A95C87C2C66B1B8087970E18552D44E	2E3C888DFBD7D838E3AD431B1C15C94C5FCA00667F7EA1122CDF767DC8C69521
C:\ProgramData\Microsoft\Windows\WER\Temp\WER923.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	1D722310DA0BE6C77B1A583B512CF5E0	465F562C0D0AFA6FC70C511FD71CEC6552EC42F8	336E2F48B3D17B8ACDF7B2A307357562C43DD1A1E444E5BC6B6B59716F611589
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CF.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	3C9941FD1111189E866CE851CB48BCF5	756CE3AA51FD855CF3EC6EC742F67C187BC0B816	6D903703B561E450D699A37BE1B3CFED440BDDDB7CBBFA193382A77640DC75E5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	01311CAD72C0BC8B0D021426C1971DD5	0C79FCB1CAFEC26B639CFED9713730687693FC2B	F83F36E2796F7C4DBFA72217987C73581C3FD0E3E17CCF4F7C18ABADB4DE1C66
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	65E8BF104530B0174CAB4EBA03F0A7F8	0897C25B30107CD27C06E20625DA6D2D3AF8F9D8	07DA9F76FC3473D8FC60D5661583AF0494EAD0965D4DB9178971154B4899C95C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAA.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Sep 15 20:53:39 2021, 0x1205a4 type	B05604691E9562343EC1EE6E756758B4	2E1E973EACEF5BF0E7FB4D65D943B41F3B5E06D1	1313D1C545BC25DA739DBE36796D3FB92D6A1DA037D29DBDF4BBC3E5257B9779

Windows Analysis Report SecuriteInfo.com.Trojan.Loader.788.32290.4876

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map