Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll
Analysis ID:510681
MD5:edadfd868f1dd7590ec7c9581eaa146d
SHA1:37fc2a180dcbf013988d563323e8fa0a3eff104b
SHA256:3d13e7a3703b143a8210510410bf7f18bc7494ac87248f36fcbe626d93e9017f
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Found detection on Joe Sandbox Cloud Basic with higher score
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6696 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6708 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6728 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6716 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6860 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5044 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1928 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5248 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5264 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.1030167993.000000006E451000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    0000000D.00000002.1066648413.000000006E451000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000001.00000002.1067915217.000000006E451000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        0000000C.00000000.1024777204.000000006E451000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0000000B.00000000.1024816272.000000006E451000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.0.rundll32.exe.6e450000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              1.2.loaddll32.exe.6e450000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                14.0.rundll32.exe.6e450000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  12.0.rundll32.exe.6e450000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    13.0.rundll32.exe.6e450000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.6e450000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllVirustotal: Detection: 22%Perma Link
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllReversingLabs: Detection: 29%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllJoe Sandbox ML: detected
                      Source: 14.0.rundll32.exe.4dc4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 1.2.loaddll32.exe.1150000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 4.2.rundll32.exe.4094756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 13.0.rundll32.exe.970000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 12.0.rundll32.exe.680000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.2.rundll32.exe.970000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 10.2.rundll32.exe.3300000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 14.2.rundll32.exe.4dc4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.2.rundll32.exe.520000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.4224756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 13.0.rundll32.exe.4444756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.0.rundll32.exe.4dc4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 1.2.loaddll32.exe.1984756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.46c4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.rundll32.exe.4224756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.2.rundll32.exe.32d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 11.0.rundll32.exe.29d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.4224756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 10.2.rundll32.exe.34e4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.46c4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.0.rundll32.exe.32d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.0.rundll32.exe.4444756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 3.0.rundll32.exe.380000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 12.0.rundll32.exe.680000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.0.rundll32.exe.970000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 14.0.rundll32.exe.32d0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.2.rundll32.exe.4444756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.rundll32.exe.4224756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 3.2.rundll32.exe.4224756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.29d0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.2.rundll32.exe.380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.1052812980.00000000047B3000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.1057733367.00000000008A6000.00000004.00000001.sdmp
                      Source: Binary string: 3KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000017.00000002.1063164684.0000000000332000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.772077712.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.1006998400.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.772077712.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.1006998400.000000004B280000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 149.202.179.100:443
                      Source: Malware configuration extractorIPs: 66.147.235.11:6891
                      Source: Malware configuration extractorIPs: 81.0.236.89:13786
                      Source: Joe Sandbox ViewASN Name: HOSTROCKETUS HOSTROCKETUS
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 66.147.235.11 66.147.235.11
                      Source: Joe Sandbox ViewIP Address: 149.202.179.100 149.202.179.100
                      Source: Joe Sandbox ViewIP Address: 81.0.236.89 81.0.236.89
                      Source: WerFault.exe, 00000017.00000002.1067703686.000000000472A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: loaddll32.exe, 00000001.00000002.1068088179.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.796982717.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.1067454754.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.1068294516.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.1025068017.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.1019370646.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.1035708534.000000006E46F000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.1030621393.000000006E46F000.00000002.00020000.sdmpString found in binary or memory: http://www.vomfass.deDVarFileInfo$
                      Source: loaddll32.exe, 00000001.00000002.1064938923.00000000017BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 12.0.rundll32.exe.6e450000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.rundll32.exe.6e450000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.rundll32.exe.6e450000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.6e450000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6e450000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.rundll32.exe.6e450000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000000.1030167993.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1066648413.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1067915217.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.1024777204.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.1024816272.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.796812313.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.790073865.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.1033354874.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1067406147.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.1036672572.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.1035590631.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.1019031495.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.1019345753.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1068220487.000000006E451000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1068071646.000000006E451000.00000020.00020000.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllJoe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: DridexPerma Link
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllBinary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 804
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4693481_2_6E469348
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4607541_2_6E460754
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4614601_2_6E461460
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E45846C1_2_6E45846C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4514941_2_6E451494
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E461D581_2_6E461D58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E45A52C1_2_6E45A52C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4590CC1_2_6E4590CC
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllVirustotal: Detection: 22%
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllReversingLabs: Detection: 29%
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll,FFRgpmdlwwWde
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll,FFRgpmdlwwWde
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 804
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',CheckTrust
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DownloadFile
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',GetICifFileFromFile
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 664
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll,FFRgpmdlwwWdeJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',CheckTrustJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',DownloadFileJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',GetICifFileFromFileJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5044
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5264
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1928
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6716
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E91.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@31/16@0/3
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic file information: File size 1093632 > 1048576
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.1052812980.00000000047B3000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.1057733367.00000000008A6000.00000004.00000001.sdmp
                      Source: Binary string: 3KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000017.00000002.1063164684.0000000000332000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.772077712.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.1006998400.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.772077712.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.1006998400.000000004B280000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E45F6CC push esi; mov dword ptr [esp], 00000000h1_2_6E45F6CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064F208 push 780064C6h; retf 4_2_0064F20D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D2FC pushad ; retn 006Fh4_2_0064D305
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00658F68 pushad ; ret 4_2_00658F69
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064DBB6 push edx; retf 0076h4_2_0064DBF6
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: OutputDebugStringW count: 482
                      Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 429Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                      Source: WER45F.tmp.WERInternalMetadata.xml.24.drBinary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer>
                      Source: Amcache.hve.9.drBinary or memory string: VMware
                      Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.9.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                      Source: WER45F.tmp.WERInternalMetadata.xml.24.drBinary or memory string: <SystemProductName>VMware7,1</SystemProductName>
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.9.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000017.00000002.1067853566.00000000047AD000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E456D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,1_2_6E456D50
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll',#1