Windows Analysis Report SecuriteInfo.com.Trojan.Loader.788.32290.dll

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Loader.788.32290.dll
Analysis ID: 483796
MD5: ab4dabb7296c60f618a8bba9ec194659
SHA1: 3a71cbe4e689eab68fb642bb94a4995102b03a9d
SHA256: 58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses 32bit PE files
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll ReversingLabs: Detection: 75%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: Binary string: advapi32.pdbf source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbH-!*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbT-5*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb~-[* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbD source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.262768369.0000000005033000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbR source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ-?*C source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb= source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbL source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbD source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msi.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000009.00000003.260775913.0000000004952000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbB-'*i source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbN-+*e source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbn source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb^ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbY source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbl-M* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb*? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbl source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb` source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdbS source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb~ source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbx-Q* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbr-W* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbx source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb6hwQ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb`-9*a source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: combase.pdbf-C* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbT source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb<? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: WerFault.exe, 00000009.00000003.284488580.00000000044CB000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.295654587.000000000495E000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.302305327.0000000004FC2000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000F.00000002.305175325.0000000004FA4000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetry.microsoft

System Summary:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll ReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 716
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 716
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6708
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6456
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DBD.tmp Jump to behavior
Source: classification engine Classification label: mal56.winDLL@12/12@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: advapi32.pdbf source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbH-!*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbT-5*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb~-[* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbD source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.262768369.0000000005033000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbR source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ-?*C source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb= source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbL source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbD source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msi.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000009.00000003.260775913.0000000004952000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbB-'*i source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbN-+*e source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbn source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb^ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbY source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbl-M* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb*? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbl source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb` source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdbS source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb~ source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbx-Q* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbr-W* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbx source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb6hwQ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb`-9*a source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: combase.pdbf-C* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbT source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb<? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0327F9E4 push ss; retn 0000h 3_2_0327F9EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0327C080 push esp; ret 3_2_0327C081
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0327C088 push esp; ret 3_2_0327C089
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0327EA5A push ss; retn 0000h 3_2_0327EA5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0327C098 push edx; ret 3_2_0327C099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_02E3CB58 push eax; retf 10_2_02E3CB59

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: WerFault.exe, 0000000F.00000003.302556477.0000000004FC2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW8
Source: WerFault.exe, 00000009.00000002.287708207.00000000044C3000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.302556477.0000000004FC2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000D.00000002.295809636.0000000004A23000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWH

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10001000 mov eax, dword ptr fs:[00000030h] 2_2_10001000
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000156C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1000156C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1 Jump to behavior
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483796 Sample: SecuriteInfo.com.Trojan.Loa... Startdate: 15/09/2021 Architecture: WINDOWS Score: 56 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        process5 16 rundll32.exe 10->16         started        18 WerFault.exe 2 9 12->18         started        20 WerFault.exe 9 14->20         started        process6 22 WerFault.exe 23 9 16->22         started       
No contacted IP infos