Windows Analysis Report SecuriteInfo.com.Trojan.Agent.FHBA.20741.16185

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Agent.FHBA.20741.16185 (renamed file extension from 16185 to dll)
Analysis ID: 483798
MD5: 4b59be3cef04547514828f8c6443ae20
SHA1: bed0d3a622ca55a914ceaf885ebc2fb419e8a9eb
SHA256: b7ca395f51df95bd3d5b5b4a30a5c2381a9893f0d66aff011d605319d5c0ea7d
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses 32bit PE files
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Virustotal: Detection: 62% Perma Link
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Metadefender: Detection: 29% Perma Link
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll ReversingLabs: Detection: 75%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdbL source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.250625291.00000000052FD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260648787.0000000004C2B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbCa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdbF source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb/ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbpt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb% source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbht source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbT source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbXt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb8 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ODBC32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbbt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbua source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb8t6 source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb> source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbZ source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbu source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.251452448.0000000003516000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260239602.0000000000B94000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb$t: source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbnt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb" source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb@ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdby source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb' source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb|t source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbIa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb; source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.251871969.0000000003510000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdby source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb]a source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb2t( source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbm source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb! source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbWa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb4 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbZ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbvt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.251566449.000000000351C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: ODBC32.pdbOa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb>t< source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: WerFault.exe, 00000009.00000002.301167220.00000000051D3000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300504231.0000000004A8D000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.317002782.0000000004B47000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000A.00000002.301075274.0000000004B73000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetry.mSg

System Summary:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Virustotal: Detection: 62%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Metadefender: Detection: 29%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll ReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 804
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 804
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoed Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2564
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2036
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1752
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8A.tmp Jump to behavior
Source: classification engine Classification label: mal56.winDLL@12/12@0/1
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdbL source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.250625291.00000000052FD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260648787.0000000004C2B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbCa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdbF source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb/ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbpt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb% source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbht source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbT source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbXt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb8 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ODBC32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbbt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbua source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb8t6 source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb> source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbZ source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbu source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.251452448.0000000003516000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260239602.0000000000B94000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb$t: source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbnt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb" source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb@ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdby source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb' source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb|t source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbIa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb; source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.251871969.0000000003510000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdby source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb]a source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb2t( source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbm source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb! source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbWa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb4 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbZ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbvt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.251566449.000000000351C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: ODBC32.pdbOa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb>t< source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_02CEC28A push ds; iretd 12_2_02CEC29E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_02CEC993 push ds; iretd 12_2_02CEC99E

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: WerFault.exe, 0000000E.00000003.308936840.0000000004C13000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: WerFault.exe, 00000009.00000002.301040929.00000000051BF000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.301075274.0000000004B73000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.317002782.0000000004B47000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.301542912.0000000005298000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100010A0 mov eax, dword ptr fs:[00000030h] 2_2_100010A0
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1 Jump to behavior
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483798 Sample: SecuriteInfo.com.Trojan.Age... Startdate: 15/09/2021 Architecture: WINDOWS Score: 56 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        process5 16 WerFault.exe 3 9 10->16         started        19 rundll32.exe 12->19         started        21 WerFault.exe 9 14->21         started        dnsIp6 25 192.168.2.1 unknown unknown 16->25 23 WerFault.exe 22 9 19->23         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1