Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan.Loader.788.32290.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Loader.788.32290.dll
Analysis ID:483796
MD5:ab4dabb7296c60f618a8bba9ec194659
SHA1:3a71cbe4e689eab68fb642bb94a4995102b03a9d
SHA256:58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses 32bit PE files
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6412 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6432 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6456 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6444 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 716 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6708 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 716 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: Binary string: advapi32.pdbf source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbH-!*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbT-5*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb~-[* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbD source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.262768369.0000000005033000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbR source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ-?*C source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb= source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbL source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbD source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msi.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000009.00000003.260775913.0000000004952000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbB-'*i source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbN-+*e source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbn source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb^ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbY source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbl-M* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb*? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbl source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb` source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdbS source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb~ source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbx-Q* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbr-W* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbx source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb6hwQ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb`-9*a source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: combase.pdbf-C* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbT source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb<? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: WerFault.exe, 00000009.00000003.284488580.00000000044CB000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.295654587.000000000495E000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.302305327.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000F.00000002.305175325.0000000004FA4000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.microsoft
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 716
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 716
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6708
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6456
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DBD.tmpJump to behavior
Source: classification engineClassification label: mal56.winDLL@12/12@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.Loader.788.32290.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: advapi32.pdbf source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbH-!*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbT-5*r source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb~-[* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbD source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.262768369.0000000005033000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbR source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ-?*C source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb= source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbL source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbD source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msi.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000009.00000003.260775913.0000000004952000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbB-'*i source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbN-+*e source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbn source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb^ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbY source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbl-M* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb*? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbl source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbK source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb` source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdbS source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb~ source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbx-Q* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbr-W* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbx source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.260743433.0000000004940000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266810031.0000000002D30000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280801201.0000000005310000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb6hwQ source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: loadperf.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.260760626.0000000004946000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb`-9*a source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.260697722.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.266776675.0000000004CD1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.280725778.0000000005341000.00000004.00000001.sdmp
Source: Binary string: combase.pdbf-C* source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbT source: WerFault.exe, 0000000D.00000003.266841443.0000000002D36000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb<? source: WerFault.exe, 0000000F.00000003.280840146.0000000005317000.00000004.00000040.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0327F9E4 push ss; retn 0000h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0327C080 push esp; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0327C088 push esp; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0327EA5A push ss; retn 0000h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0327C098 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_02E3CB58 push eax; retf
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
Source: WerFault.exe, 0000000F.00000003.302556477.0000000004FC2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8
Source: WerFault.exe, 00000009.00000002.287708207.00000000044C3000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.302556477.0000000004FC2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000D.00000002.295809636.0000000004A23000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10001000 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1000156C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000000.248676618.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.248363494.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.256094060.0000000003470000.00000002.00020000.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483796 Sample: SecuriteInfo.com.Trojan.Loa... Startdate: 15/09/2021 Architecture: WINDOWS Score: 56 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        process5 16 rundll32.exe 10->16         started        18 WerFault.exe 2 9 12->18         started        20 WerFault.exe 9 14->20         started        process6 22 WerFault.exe 23 9 16->22         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Loader.788.32290.dll75%ReversingLabsWin32.Trojan.Spynoon
SecuriteInfo.com.Trojan.Loader.788.32290.dll100%AviraTR/Injector.nhqlj

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://watson.telemetry.microsoft0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://watson.telemetry.microsoftWerFault.exe, 0000000F.00000002.305175325.0000000004FA4000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:483796
Start date:15.09.2021
Start time:13:58:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 16s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:SecuriteInfo.com.Trojan.Loader.788.32290.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winDLL@12/12@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 76.6%
  • Quality standard deviation: 28.1%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Sleeps bigger than 120000ms are automatically reduced to 1000ms
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.189.173.22, 20.189.173.21, 20.82.210.154, 40.112.88.60, 20.82.209.183, 23.216.77.208, 23.216.77.209, 20.82.209.104, 20.54.110.249
  • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/483796/sample/SecuriteInfo.com.Trojan.Loader.788.32290.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_1a0173ec\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):12058
Entropy (8bit):3.765198868051731
Encrypted:false
SSDEEP:192:/VRi10oXiHBUZMX4jed+i/u7s1S274It7cs:9RibX6BUZMX4jeX/u7s1X4It7cs
MD5:518328E26C8FF6501C25B712A417B90B
SHA1:AB56DAF80C5F2025748160BE8742A8722D8E90EA
SHA-256:F200732BD0213631E29DBCC7172110B02255EC643819DA0879B56A10DD060AD8
SHA-512:76A6CD5B1E2302F14496B34F4A512DE582964DB0433D98FB4B5D8C993A4CECA70EEFA925BD0296D43AFEB8546BFD64637226A03C64D365326862745E82DF6432
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.3.2.0.5.8.1.4.2.3.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.3.2.2.0.7.6.7.3.8.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.f.4.1.9.0.7.-.b.d.2.0.-.4.c.a.0.-.9.a.9.9.-.d.8.1.2.c.7.1.4.0.c.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.4.d.4.0.2.a.-.2.0.e.a.-.4.7.b.a.-.9.b.8.9.-.0.a.6.b.8.2.7.3.d.e.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.4.-.0.0.0.1.-.0.0.1.6.-.8.9.4.e.-.4.3.a.4.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_1b2952a8\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):12026
Entropy (8bit):3.767189237668157
Encrypted:false
SSDEEP:192:b9Ri/0oXXHBUZMX4jed+q/u7saS274It7c0:ZRiBX3BUZMX4jeP/u7saX4It7c0
MD5:DF8917A5C9FB0A30491F195D465F903A
SHA1:1FB1EC02157FF948F19CDB4620E4599A5FE8E009
SHA-256:B64DF1EF259B4A66E1224AFB99BA39F92A643B96941E62F30FE22A162E11754F
SHA-512:AC616670F5A9CAD5261B0A68C77B4CE121A1017C2528EA6E17A7E82B4FAE140692BD2600A7B7C8CC975A586767A9728DA9BB7E712B333883F8F1FA398BBF8425
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.3.2.0.0.2.6.4.9.3.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.3.2.1.1.9.0.5.5.4.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.c.2.7.9.3.c.-.3.7.f.b.-.4.3.c.8.-.b.b.5.f.-.c.9.8.2.b.8.1.2.6.2.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.4.2.9.9.b.1.-.f.d.b.4.-.4.1.b.2.-.b.f.a.9.-.7.6.3.e.2.1.a.1.6.f.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.3.8.-.0.0.0.1.-.0.0.1.6.-.a.3.f.8.-.1.b.a.2.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_1bb9611f\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):12056
Entropy (8bit):3.7662107313886293
Encrypted:false
SSDEEP:192:8+iF0oXHHBUZMX4jed+q/u7saS274It7cs:5iLXnBUZMX4jev/u7saX4It7cs
MD5:7216EF1A79D9121B0AB5E270086BEE88
SHA1:5F84DFF306DF6D5557CFF0E6C9B822814FC028B8
SHA-256:C79CB51FE3332B4EB0AACB7EC702A97E1DE4618B62D30DB3288E8BCBBE0FCB69
SHA-512:458A2A407CC706E308E5FAA11B0EC1AFF12731A4A9ECED4483A1B673C235C5D442A1B9F47E24E7D393533BEAAC37EDC640E31966B9166393FFC6EE33833F110B
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.3.2.0.1.7.5.3.8.2.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.3.2.1.5.8.4.7.5.5.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.8.f.e.7.d.6.-.9.6.9.6.-.4.3.7.e.-.8.9.4.f.-.6.6.b.b.1.3.1.b.3.e.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.6.b.4.f.a.5.-.6.7.6.6.-.4.b.3.0.-.a.c.6.5.-.e.b.b.f.2.a.3.4.6.3.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.2.c.-.0.0.0.1.-.0.0.1.6.-.2.a.6.f.-.1.5.a.2.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DBD.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 21:00:02 2021, 0x1205a4 type
Category:dropped
Size (bytes):45132
Entropy (8bit):2.133794980071242
Encrypted:false
SSDEEP:192:T3dhBD8lDw7L9WPdO1HWtMkuIQLrjW6sHpzUBRkyLnG:pDVL9WPQ42kYLrj6pzILG
MD5:CB12C62AAC7334EAC7F06D9C23FB0C86
SHA1:341D3B5C8C0694E6C6FDE79B00141E466683CBC7
SHA-256:ABC8423DAEFC7E75AEF9696A2E6898B76895029F0C38F5837AA6B75C9FA43665
SHA-512:291FB4B8DB3F1665C1435D4A0CC0AA6B9F51E9E719AB60827DE257FCE39E1A171C225807BF1C10323204E2E6519498055B58DB40228C1C99FFF677DC7AAE31E1
Malicious:false
Preview: MDMP....... ........^Ba...................U...........B..............GenuineIntelW...........T.......8....^Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2399.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 21:00:05 2021, 0x1205a4 type
Category:dropped
Size (bytes):45260
Entropy (8bit):2.108116615082561
Encrypted:false
SSDEEP:192:soAo0NQqfg0cUD1XA4U6lmWtMkuIQLrD9tEcyPaVhucnuO:jAtNQqIwBsW2kYLrDgcjucb
MD5:BB5FFC5A63F5286023D8605196EDDED9
SHA1:9715FEE0055EAA537847CDDD35A1F76C58FFB185
SHA-256:56E337C0FF7FD28CC050416289FC8990CA2D446DF14D364737AA69932736BB67
SHA-512:4BFB7A1C2D505CA52F638382841DB858839F6F5EF3C9E6B1DEDAA3E73C553BEBA5A85E397B1D1D24B2FE378286337CDBD159165E0596C6CC5A1BD720DEB57F1C
Malicious:false
Preview: MDMP....... ........^Ba...................U...........B..............GenuineIntelW...........T.......,....^Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2744.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8362
Entropy (8bit):3.6978936929644113
Encrypted:false
SSDEEP:192:Rrl7r3GLNicF6nQ6Yw56rgmf8dSRCprv89buisfEVam:RrlsNiu6Q6Yu6rgmf8dSpuhfE5
MD5:8163946A22BE4A1F5E4078463F1503BB
SHA1:EB80E48077C2C406C98A35FDB90B8B478E6DE077
SHA-256:922E92BBB9DF0D7EDAB47414CC1C290785A75DCA2BE7F9BB3A622EF76A7D674A
SHA-512:B0D76674CF5158CEDA1BA408347C865B156FA6A59CB32654F88EBBBDE0735B07F22696B1C1250F342BD0C6F9FDBBAB3161778F64A23F55717CB1744F23226CC7
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.5.6.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D5F.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4771
Entropy (8bit):4.484496088298751
Encrypted:false
SSDEEP:48:cvIwSD8zspJgtWI9oBKhWSC8Bqa8fm8M4JCdsjMFQ6+q8vjsjGn4SrS4d:uITf7/HSNQJJ4KOkDW4d
MD5:E92DA7A2372614FEC84E23396FE7844B
SHA1:E65FE2E3BD50EDDBDA3846155C652B92E12E4927
SHA-256:CF49DF60679711E376977519EF5856387F0F78CC30AC74F90A364C497DF1BD49
SHA-512:B8C7395F0760E64993F03EA3F0DBA1FE86E59EE4747411A96C4900467B62C0B23BE3204F4BFF7002D5EA94BA3EA199A2F952CF641AE5B3C4C7527CBB2ADB58A6
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WER326F.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8386
Entropy (8bit):3.6961312652199747
Encrypted:false
SSDEEP:192:Rrl7r3GLNi/z6g7ws6YDx6EBCGgmf8dSRCprO89bYisfqom:RrlsNi76I6Y16EVgmf8dS+Yhfk
MD5:95C4FB8D38D4A3376BB8D8E0810C14A0
SHA1:944667E85042FE576A14BE42C8B197F6542FB668
SHA-256:5AEA9F76927FE1CD3EE1B35EAE7FBF332BC3F5E8678FB7FD3938BE717988B207
SHA-512:49DA3E0A7AD868D7F1AD879012F700B27DC05B76161437EA1D57EB9421CB7414FE2A8A3856E99EA876C20E2DAC5448A6B4C9275E565962C128F6E757843E66E2
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.4.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3368.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 21:00:11 2021, 0x1205a4 type
Category:dropped
Size (bytes):53904
Entropy (8bit):1.9317163376928401
Encrypted:false
SSDEEP:192:zLGYcAzw0of9QG3Z0xm9894l1rKQXRqedg51Eb0nYT:+YcA0d3Z0wW61rKQbg51TO
MD5:222EA84DABB55A9C23022E127AD722B5
SHA1:37D377ADF47C9C5B5104B4FAA287E697101CA796
SHA-256:AF1F8798531D4998A32EF78A519EF60FB0F85332018A4E2B6B05AEAF20A896F1
SHA-512:39AB35E76B7E7D21B12A9942A6361A3A7B8AFA1F051735A2B050B6D3DC81924585AB761E2ED9943D9A9EC0F4807B732B4AA343B5AF67855F4E84C7615EDCD3E7
Malicious:false
Preview: MDMP....... ........^Ba...................U...........B..............GenuineIntelW...........T.......4....^Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3629.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4771
Entropy (8bit):4.484975619046288
Encrypted:false
SSDEEP:48:cvIwSD8zspJgtWI9oBKhWSC8Br8fm8M4JCdsjMFAEV6+q8vjsjTEfn4SrSpd:uITf7/HSNmJJ66KOTEPDWpd
MD5:6272F42437363467A46161C9F6274FB9
SHA1:36AF21588AC46B6CDCFF1614196F30D3263AF206
SHA-256:144B18529759450654CE183BC39530F56E6ED9A8439305B0FE3A7852ECC5CDE0
SHA-512:5BBAB021F89A9616D20FA5538AA3349163F9F319A7A42125501385986A951609F3AF68059FEB1583CC2C0ED7C9ADF56BE4DCA1DC598BF28A93636D213A217716
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C12.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8386
Entropy (8bit):3.6956392955336814
Encrypted:false
SSDEEP:192:Rrl7r3GLNisk6Ww6YD56EBCGgmf8dSRCpr+89bGosfkmim:RrlsNi36R6Y96EVgmf8dSOGbfk6
MD5:5FE8B652EF9B91DCE555D75606D96F63
SHA1:8085D34F012562C2F0DF5EAA1C4EF4703BE8A539
SHA-256:7CBBF839D369430996C40E8ED4451E7CDEB0578282D6ECF28BAC61A1A5B61AD6
SHA-512:F7CB104AABA14D225C66AAC2909A4F129EC4A443D4DA02E55029F406C3C3C938378C81288E36E658F1D360663F1D02E8DAEC6788B8696D25E87BE2443E5FE11B
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.0.8.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER502A.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4771
Entropy (8bit):4.481480377925222
Encrypted:false
SSDEEP:48:cvIwSD8zspJgtWI9oBKhWSC8BB8fm8M4JCdsjMFmj+q8vjsjTJI4SrSod:uITf7/HSNwJJfjKOT+DWod
MD5:957712C6CD84465CF2A95E50419F0DB6
SHA1:F734D33E1D1A1CF2208A8C7242F862533B6A8255
SHA-256:C62C378E07DCBDA019E71B194B6138F6E6F6FCAB18011E453FD952EE3D42DC44
SHA-512:9EDC449FF21B070D5818728870732683C28B9B7F907B645324E4360F1B7EA91D65C08F6C08A21C2CFBE8E5EC35AFBCC0CEC3E4679AEAD62B330C4D47650F8579
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.612809244096079
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan.Loader.788.32290.dll
File size:6144
MD5:ab4dabb7296c60f618a8bba9ec194659
SHA1:3a71cbe4e689eab68fb642bb94a4995102b03a9d
SHA256:58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b
SHA512:ec791043f95ca06804aed549d3f6414a2605ad85ba7e1d06fd14357a9bd5234ed60cb4f28d89fcc6680801ee8cae2282cdb7c79927d830e15ad9753c8e356b75
SSDEEP:96:/an1ASk3NDZ+tCiq5RSKKgHCgQNLJ2L8ipKvrD3:/dgqTSHg+d2LKjD3
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................sA......................................Rich............................PE..L...O..`...........!.......

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10000000
Entrypoint Section:
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
DLL Characteristics:NO_SEH, NX_COMPAT
Time Stamp:0x6090924F [Tue May 4 00:16:15 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:68cb0529e8a62fbcd192ffb1ba826877

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x21d00x50.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x23040xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x21100x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21300x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000xf4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x6940x800False0.46533203125data5.07347132918IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x20000x98e0xa00False0.4578125data4.64118874162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x30000x3540x200False0.1171875data0.557168346014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
ole32.dllWriteClassStg, OleMetafilePictFromIconAndLabel, OleCreateEmbeddingHelper, OleDestroyMenuDescriptor, OleSetAutoConvert, MkParseDisplayName, StgIsStorageFile, HBITMAP_UserMarshal, SNB_UserMarshal
SETUPAPI.dllSetupLogFileA, SetupQueueDeleteSectionA, SetupQueueRenameSectionA, SetupQueryInfFileInformationA, SetupDiSelectDevice, SetupDiGetHwProfileFriendlyNameW, SetupRemoveInstallSectionFromDiskSpaceListW, SetupDiSetDeviceInstallParamsA
SHELL32.dllSHGetMalloc, SHEmptyRecycleBinW, ShellAboutW
msi.dll
IMM32.dllImmGetCandidateListA, ImmGetCompositionStringA, ImmUnlockIMCC, ImmEnumRegisterWordW, ImmSimulateHotKey, ImmAssociateContextEx, ImmGetGuideLineW, ImmGetCandidateWindow
WINMM.dlljoyGetNumDevs, midiInMessage, waveInGetErrorTextA, mmioSetBuffer, midiInGetErrorTextW
MPR.dllWNetGetResourceParentW, WNetConnectionDialog1W, WNetConnectionDialog, WNetCancelConnectionW, WNetConnectionDialog1A, WNetAddConnectionA, WNetGetConnectionW
loadperf.dllUnloadPerfCounterTextStringsW, LoadPerfCounterTextStringsW
KERNEL32.dllGetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter

Exports

NameOrdinalAddress
uvlcopdlxoed10x10001120

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 15, 2021 13:59:48.589612007 CEST5479553192.168.2.58.8.8.8
Sep 15, 2021 13:59:48.624234915 CEST53547958.8.8.8192.168.2.5
Sep 15, 2021 14:00:05.499752998 CEST4955753192.168.2.58.8.8.8
Sep 15, 2021 14:00:05.525926113 CEST53495578.8.8.8192.168.2.5
Sep 15, 2021 14:00:13.566728115 CEST6173353192.168.2.58.8.8.8
Sep 15, 2021 14:00:13.594832897 CEST53617338.8.8.8192.168.2.5
Sep 15, 2021 14:00:17.483498096 CEST6544753192.168.2.58.8.8.8
Sep 15, 2021 14:00:17.510718107 CEST53654478.8.8.8192.168.2.5
Sep 15, 2021 14:00:21.136315107 CEST5244153192.168.2.58.8.8.8
Sep 15, 2021 14:00:21.172847033 CEST53524418.8.8.8192.168.2.5
Sep 15, 2021 14:00:22.083720922 CEST6217653192.168.2.58.8.8.8
Sep 15, 2021 14:00:22.110166073 CEST53621768.8.8.8192.168.2.5
Sep 15, 2021 14:00:42.639941931 CEST5959653192.168.2.58.8.8.8
Sep 15, 2021 14:00:42.685523033 CEST53595968.8.8.8192.168.2.5
Sep 15, 2021 14:00:57.019525051 CEST6529653192.168.2.58.8.8.8
Sep 15, 2021 14:00:57.070691109 CEST53652968.8.8.8192.168.2.5
Sep 15, 2021 14:00:59.774430990 CEST6318353192.168.2.58.8.8.8
Sep 15, 2021 14:00:59.806207895 CEST53631838.8.8.8192.168.2.5
Sep 15, 2021 14:01:34.110276937 CEST6015153192.168.2.58.8.8.8
Sep 15, 2021 14:01:34.152872086 CEST53601518.8.8.8192.168.2.5
Sep 15, 2021 14:01:35.947684050 CEST5696953192.168.2.58.8.8.8
Sep 15, 2021 14:01:35.974706888 CEST53569698.8.8.8192.168.2.5
Sep 15, 2021 14:02:22.774019957 CEST5516153192.168.2.58.8.8.8
Sep 15, 2021 14:02:22.828027010 CEST53551618.8.8.8192.168.2.5
Sep 15, 2021 14:02:24.511521101 CEST5475753192.168.2.58.8.8.8
Sep 15, 2021 14:02:24.564990997 CEST53547578.8.8.8192.168.2.5
Sep 15, 2021 14:02:26.330388069 CEST4999253192.168.2.58.8.8.8
Sep 15, 2021 14:02:26.368390083 CEST53499928.8.8.8192.168.2.5
Sep 15, 2021 14:02:26.893373966 CEST6007553192.168.2.58.8.8.8
Sep 15, 2021 14:02:26.947057962 CEST53600758.8.8.8192.168.2.5
Sep 15, 2021 14:02:27.515149117 CEST5501653192.168.2.58.8.8.8
Sep 15, 2021 14:02:27.575628042 CEST53550168.8.8.8192.168.2.5
Sep 15, 2021 14:02:28.151424885 CEST6434553192.168.2.58.8.8.8
Sep 15, 2021 14:02:28.181327105 CEST53643458.8.8.8192.168.2.5
Sep 15, 2021 14:02:28.726547003 CEST5712853192.168.2.58.8.8.8
Sep 15, 2021 14:02:28.762218952 CEST53571288.8.8.8192.168.2.5
Sep 15, 2021 14:02:29.648863077 CEST5479153192.168.2.58.8.8.8
Sep 15, 2021 14:02:29.673705101 CEST53547918.8.8.8192.168.2.5
Sep 15, 2021 14:02:31.285892010 CEST5046353192.168.2.58.8.8.8
Sep 15, 2021 14:02:31.311038017 CEST53504638.8.8.8192.168.2.5
Sep 15, 2021 14:02:31.945827007 CEST5039453192.168.2.58.8.8.8
Sep 15, 2021 14:02:31.975508928 CEST53503948.8.8.8192.168.2.5

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6412 Parent PID: 2500

General

Start time:13:59:53
Start date:15/09/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll'
Imagebase:0xb80000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: cmd.exe PID: 6432 Parent PID: 6412

General

Start time:13:59:53
Start date:15/09/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: rundll32.exe PID: 6444 Parent PID: 6412

General

Start time:13:59:54
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll,uvlcopdlxoed
Imagebase:0x1b0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: rundll32.exe PID: 6456 Parent PID: 6432

General

Start time:13:59:54
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',#1
Imagebase:0x1b0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: WerFault.exe PID: 6680 Parent PID: 6456

General

Start time:13:59:57
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 724
Imagebase:0x160000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: rundll32.exe PID: 6708 Parent PID: 6412

General

Start time:13:59:58
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Loader.788.32290.dll',uvlcopdlxoed
Imagebase:0x1b0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: WerFault.exe PID: 6792 Parent PID: 6444

General

Start time:13:59:58
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 716
Imagebase:0x160000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: WerFault.exe PID: 6960 Parent PID: 6708

General

Start time:14:00:01
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 716
Imagebase:0x160000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >