Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131

Overview

General Information

Sample Name:SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131 (renamed file extension from 12131 to dll)
Analysis ID:510686
MD5:e53a16bea7918b1f7d4c0e659febc766
SHA1:10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6476 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6500 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6544 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6528 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7080 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7088 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7112 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7124 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.0.rundll32.exe.6f020000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              13.0.rundll32.exe.6f020000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                11.0.rundll32.exe.6f020000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  10.2.rundll32.exe.6f020000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    10.0.rundll32.exe.6f020000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 10.2.rundll32.exe.6f020000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllVirustotal: Detection: 21%Perma Link
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllJoe Sandbox ML: detected
                      Source: 3.2.rundll32.exe.2ba4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.rundll32.exe.2bd0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 10.2.rundll32.exe.44c4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.2bf4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.0.rundll32.exe.3fe4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 10.0.rundll32.exe.2a00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.2.rundll32.exe.27b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 12.2.rundll32.exe.2bd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.0.rundll32.exe.2580000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 12.0.rundll32.exe.2dd4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.0.rundll32.exe.3fe4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 13.0.rundll32.exe.2580000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 11.2.rundll32.exe.2bf4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.2bf4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 10.0.rundll32.exe.44c4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 13.0.rundll32.exe.4034756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.28e0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 0.0.loaddll32.exe.5b0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 12.2.rundll32.exe.2dd4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.0.loaddll32.exe.5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.0.rundll32.exe.4034756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.rundll32.exe.2dd4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.0.rundll32.exe.2580000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 0.0.loaddll32.exe.e04756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.rundll32.exe.28e0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 10.2.rundll32.exe.2a00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 11.2.rundll32.exe.28e0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.2.rundll32.exe.4034756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 10.0.rundll32.exe.44c4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.0.loaddll32.exe.e04756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.0.rundll32.exe.2580000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 10.0.rundll32.exe.2a00000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 9.2.rundll32.exe.2894756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.rundll32.exe.2bd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 9.2.rundll32.exe.2790000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.2.rundll32.exe.2580000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 149.202.179.100:443
                      Source: Malware configuration extractorIPs: 66.147.235.11:6891
                      Source: Malware configuration extractorIPs: 81.0.236.89:13786
                      Source: Joe Sandbox ViewASN Name: HOSTROCKETUS HOSTROCKETUS
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 66.147.235.11 66.147.235.11
                      Source: Joe Sandbox ViewIP Address: 149.202.179.100 149.202.179.100
                      Source: Joe Sandbox ViewIP Address: 81.0.236.89 81.0.236.89
                      Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
                      Source: loaddll32.exe, 00000000.00000000.523818743.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.475656275.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.874891443.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.758338318.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.723066869.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.712126341.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.765202970.000000006F03F000.00000002.00020000.sdmpString found in binary or memory: http://www.vomfass.deDVarFileInfo$

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 10.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.874852641.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.475579943.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.722717692.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.697948285.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.716630933.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.523799622.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.758018244.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.759412743.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.715578502.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.709098090.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, type: MEMORY
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllBinary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F030754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F039348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F02A52C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F031D58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F031460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F02846C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F021494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F03223C NtDelayExecution,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F032840 NtAllocateVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F02BB88 NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllVirustotal: Detection: 21%
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllReversingLabs: Detection: 31%
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131Joe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3916.tmpJump to behavior
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@33/18@0/4
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic file information: File size 1093632 > 1048576
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F02F6CC push esi; mov dword ptr [esp], 00000000h
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: OutputDebugStringW count: 1224
                      Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 805
                      Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 419
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F030754 GetTokenInformation,GetSystemInfo,GetTokenInformation,
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
                      Source: Amcache.hve.21.drBinary or memory string: VMware
                      Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.21.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                      Source: Amcache.hve.21.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.21.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
                      Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F026D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F033110 RtlAddVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                      Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F026D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510686 Sample: SecuriteInfo.com.Drixed-FJX... Startdate: 28/10/2021 Architecture: WINDOWS Score: 76 36 149.202.179.100 OVHFR France 2->36 38 66.147.235.11 HOSTROCKETUS United States 2->38 40 81.0.236.89 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 2->40 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Dridex unpacked file 2->48 50 2 other signatures 2->50 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 rundll32.exe 8->15         started        17 4 other processes 8->17 signatures6 52 Tries to delay execution (extensive OutputDebugStringW loop) 10->52 19 WerFault.exe 9 13->19         started        22 WerFault.exe 13->22         started        24 WerFault.exe 23 9 15->24         started        26 WerFault.exe 15->26         started        28 WerFault.exe 2 9 17->28         started        30 WerFault.exe 9 17->30         started        32 rundll32.exe 17->32         started        34 2 other processes 17->34 process7 dnsIp8 42 192.168.2.1 unknown unknown 19->42

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll21%VirustotalBrowse
                      SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll32%ReversingLabsWin32.Trojan.Drixed
                      SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.2ba4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.0.rundll32.exe.2bd0000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      10.2.rundll32.exe.44c4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      11.0.rundll32.exe.2bf4756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      2.0.rundll32.exe.3fe4756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.0.rundll32.exe.2a00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      11.0.rundll32.exe.6f020000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      3.2.rundll32.exe.27b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      10.0.rundll32.exe.6f020000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      12.2.rundll32.exe.2bd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.0.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      13.0.rundll32.exe.2580000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      12.0.rundll32.exe.2dd4756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.0.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      2.0.rundll32.exe.3fe4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.0.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      13.0.rundll32.exe.2580000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      11.2.rundll32.exe.2bf4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      11.0.rundll32.exe.2bf4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.0.rundll32.exe.44c4756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.0.rundll32.exe.4034756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.0.rundll32.exe.6f020000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      11.0.rundll32.exe.28e0000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      3.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      0.0.loaddll32.exe.5b0000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      12.2.rundll32.exe.2dd4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.0.rundll32.exe.6f020000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      0.0.loaddll32.exe.5b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.0.rundll32.exe.4034756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.0.rundll32.exe.2dd4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.0.rundll32.exe.2580000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      0.0.loaddll32.exe.e04756.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      11.0.rundll32.exe.28e0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      0.0.loaddll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      11.0.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      10.2.rundll32.exe.2a00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      11.2.rundll32.exe.28e0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.2.rundll32.exe.4034756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.0.rundll32.exe.44c4756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.0.loaddll32.exe.e04756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.0.rundll32.exe.2580000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      10.0.rundll32.exe.2a00000.3.unpack100%AviraTR/ATRAPS.Gen2Download File
                      9.2.rundll32.exe.2894756.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.0.rundll32.exe.2bd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      12.0.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      9.2.rundll32.exe.2790000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      11.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      13.2.rundll32.exe.2580000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
                      9.2.rundll32.exe.6f020000.2.unpack100%AviraHEUR/AGEN.1144420Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.vomfass.deDVarFileInfo$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.21.drfalse
                        		high
                        http://www.vomfass.deDVarFileInfo$loaddll32.exe, 00000000.00000000.523818743.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.475656275.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.874891443.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.758338318.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.723066869.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.712126341.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.765202970.000000006F03F000.00000002.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        66.147.235.11
                        		unknownUnited States
                        		23535HOSTROCKETUStrue
                        149.202.179.100
                        		unknownFrance
                        		16276OVHFRtrue
                        81.0.236.89
                        		unknownCzech Republic
                        		15685CASABLANCA-ASInternetCollocationProviderCZtrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:510686
                        Start date:28.10.2021
                        Start time:04:49:29
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 37s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131 (renamed file extension from 12131 to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:32
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal76.troj.evad.winDLL@33/18@0/4
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 57.2% (good quality ratio 52.1%)
                        • Quality average: 77%
                        • Quality standard deviation: 31.7%
                        HCA Information:
                        • Successful, ratio: 67%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 23.211.4.86, 20.189.173.22, 13.89.179.12, 104.208.16.94, 20.42.73.29
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:51:44API Interceptor1x Sleep call for process: loaddll32.exe modified
                        04:53:32API Interceptor4x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        66.147.235.11SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllGet hashmaliciousBrowse
                          SecuriteInfo.com.Trojan.Win32.Save.a.28377.dllGet hashmaliciousBrowse
                            SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                              SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                  ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                    ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                      Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse
                                        149.202.179.100SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllGet hashmaliciousBrowse
                                          SecuriteInfo.com.Trojan.Win32.Save.a.28377.dllGet hashmaliciousBrowse
                                            SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                              SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                                  ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                    ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                      Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse
                                                        81.0.236.89SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Trojan.Win32.Save.a.28377.dllGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                                Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                                                  ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                    ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                      Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse

                                                                        Domains

                                                                        No context

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        HOSTROCKETUSSecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.28377.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse
                                                                        • 66.147.235.11
                                                                        s1uOMLvpO4.exeGet hashmaliciousBrowse
                                                                        • 216.120.236.127
                                                                        WGs54P9e8aGet hashmaliciousBrowse
                                                                        • 216.120.241.108
                                                                        ba2Eq178BGXyW5T.exeGet hashmaliciousBrowse
                                                                        • 216.120.237.68
                                                                        4TXvMuUjTxE2kqz.exeGet hashmaliciousBrowse
                                                                        • 66.147.239.119
                                                                        Requirements-oct_2020.exeGet hashmaliciousBrowse
                                                                        • 66.147.239.119
                                                                        JESEE FRIED FIRDAY.exeGet hashmaliciousBrowse
                                                                        • 66.147.239.119
                                                                        Scan_0884218630071 Bank Swift.exeGet hashmaliciousBrowse
                                                                        • 66.147.239.119
                                                                        BANK ACCOUNT DETAILS ATTACHED.pdf.exeGet hashmaliciousBrowse
                                                                        • 66.147.239.119
                                                                        XYmX3bLQJ9.xlsGet hashmaliciousBrowse
                                                                        • 66.147.238.141
                                                                        payment730.xlsGet hashmaliciousBrowse
                                                                        • 66.147.238.141
                                                                        Inf328.xlsGet hashmaliciousBrowse
                                                                        • 66.147.238.141
                                                                        OVHFRSecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.28377.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16213.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        protocol-1096018033.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        protocol-1096018033.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        arm7Get hashmaliciousBrowse
                                                                        • 8.33.207.78
                                                                        #U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbsGet hashmaliciousBrowse
                                                                        • 144.217.33.249
                                                                        Byov62cXa1.exeGet hashmaliciousBrowse
                                                                        • 94.23.24.82
                                                                        Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        ckrgvIQvmUux.dllGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse
                                                                        • 149.202.179.100
                                                                        lyVSOhLA7o.dllGet hashmaliciousBrowse
                                                                        • 51.210.102.137
                                                                        protocol-1441399238.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        protocol-1441399238.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        protocol-1086855687.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        protocol-1086855687.xlsGet hashmaliciousBrowse
                                                                        • 192.99.46.215
                                                                        New order payment.exeGet hashmaliciousBrowse
                                                                        • 51.210.240.92
                                                                        v2c.exeGet hashmaliciousBrowse
                                                                        • 5.39.3.130

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2b57d984458e21441755dcb7fd69ad7959479eb3_82810a17_06ac9ba8\Report.wer
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.9174528397587974
                                                                        Encrypted:false
                                                                        SSDEEP:192:7Ri70oXmHBUZMX4jed+d/u7suS274ItWc:9ilXeBUZMX4jeo/u7suX4ItWc
                                                                        MD5:CF7CD7EB4BAA98CDB4DFA099BE62AF48
                                                                        SHA1:C1CBF75E010B107E05B919F52BA64B3989A0E3DF
                                                                        SHA-256:09C4023481DA95298694FEC463CF2FBDD12C106962E0A5D35DB3EEAE0D9ED4A4
                                                                        SHA-512:29381A14C5A6993E8737B6A2126F8E19584167068F167288BF636127C9F8696B8309FCC21E753D508D77118D354CB698ADB72C82766B6A14CFA1805035686277
                                                                        Malicious:false
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.6.0.1.4.1.6.1.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.5.2.5.9.8.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.a.6.4.0.3.2.-.6.f.b.b.-.4.f.8.8.-.a.0.6.c.-.d.5.1.c.6.6.8.f.9.7.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.4.a.f.5.0.3.-.1.f.0.7.-.4.8.2.1.-.a.9.1.0.-.7.b.d.3.f.f.4.0.6.9.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.8.-.0.0.0.1.-.0.0.1.7.-.9.8.a.2.-.6.f.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5f8c232292098bd3183b3bd76fd57ba47bd4c4b_82810a17_056488dc\Report.wer
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.9171776919766541
                                                                        Encrypted:false
                                                                        SSDEEP:192:82mit0oXmHBUZMX4jed+d/u7suS274ItWc:ZmijXeBUZMX4jeo/u7suX4ItWc
                                                                        MD5:A4E2D7D8C3B761D8F55E4B27013DB19A
                                                                        SHA1:77FFCF59E0C5CC3DB91F3BB603F9B79FD20E7776
                                                                        SHA-256:97D7E2678CD2EF7A49260D184CCCF3CA0A252D52FCCB9CD5BF8F47A86F8B9790
                                                                        SHA-512:34A5DA7B1D8B738F85123F613921A8703A4C336DA1056309B5D8A5B6E33EC6393D2511B6A767EBE92038B0B43C76C6DC6192116EEE5602CD61C8A51C451B8944
                                                                        Malicious:false
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.5.9.4.6.4.9.1.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.1.1.9.5.8.7.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.4.b.3.a.7.9.-.3.f.5.b.-.4.9.8.4.-.8.7.c.7.-.a.4.d.a.7.0.8.f.4.c.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.8.6.e.5.7.3.-.9.e.a.8.-.4.5.1.4.-.a.5.e.3.-.3.c.5.2.b.4.b.a.d.a.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.7.-.4.b.f.0.-.4.2.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_af1de8448413c76b457f536b7859b51ff1ab58_82810a17_0644a712\Report.wer
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.9169366768249558
                                                                        Encrypted:false
                                                                        SSDEEP:192:xnim0oXgHBUZMX4jed+d/u7suS274ItWcb:RiAXIBUZMX4jeo/u7suX4ItWcb
                                                                        MD5:52C5577C1D0F67DE06749DC5CD2579A7
                                                                        SHA1:562EFF5560B3EC885F54484399F2A966DC789E2B
                                                                        SHA-256:A90C59201AE0DDC5579D586AAB18CAAA937C7363D91A76DFE3BDC4459191925B
                                                                        SHA-512:26B79EAB74365840D9517F3872BBFCA2EB2828C6A95F3647B93BB1C751FBDB4BF25D0982ADD51D3E72048F8090A4D7B7D6A5DFFA01EBC5C5F3646C135FB17AEA
                                                                        Malicious:false
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.0.4.2.3.9.5.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.9.5.3.3.2.6.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.b.7.3.a.b.b.-.f.c.d.1.-.4.c.7.4.-.8.c.1.a.-.4.5.7.9.4.e.a.9.f.7.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.2.c.9.9.7.1.-.8.6.5.8.-.4.c.b.2.-.8.8.4.0.-.3.e.1.b.d.b.2.d.f.b.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.4.-.0.0.0.1.-.0.0.1.7.-.4.c.4.e.-.a.3.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c316961cf9547f4477c913cd7ccdecd11bd19_82810a17_1384863c\Report.wer
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.9170555310689312
                                                                        Encrypted:false
                                                                        SSDEEP:192:s8pib0oXSHBUZMX4jed+d/u7suS274ItWc:vpiFXqBUZMX4jeo/u7suX4ItWc
                                                                        MD5:136E2022FE3668BE06BF4D9CA54E8C40
                                                                        SHA1:A44E90D03671726C3176577FAC94942601DF12D6
                                                                        SHA-256:46FE6DB306F2A2E67744B49483DE10010A69AC166D4978F9A532702C0A745695
                                                                        SHA-512:D9D9B9F2E16058730E642E5A5AC34B748D201EEAD105B12C2C8C530CFC7382ACDEC43DCE2A16E21C1B31121C7A1C24FFB8070BD02ABE926A24053F1DB2D336D8
                                                                        Malicious:false
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.5.9.2.4.2.5.3.0.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.0.9.3.7.8.3.0.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.3.5.a.e.7.b.-.3.4.9.e.-.4.1.2.b.-.b.3.7.2.-.4.c.e.6.6.b.3.7.1.f.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.e.f.2.6.2.b.-.d.f.a.9.-.4.7.2.4.-.9.f.e.e.-.7.d.8.5.0.5.c.5.b.d.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.7.-.8.a.1.7.-.1.5.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3916.tmp.dmp
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:15 2021, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):45496
                                                                        Entropy (8bit):2.143027220745551
                                                                        Encrypted:false
                                                                        SSDEEP:192:+9TTNgJvRpO5Skb5a8/gS68oGwH1k7bEmMP5e2IjWIrNxQkn6d:Cyy5LbIvSBon8zMheXjWwL8
                                                                        MD5:BEC3FEE4BDB7C15EA5A63901CB714201
                                                                        SHA1:5CD6654B5950A02ABA79D6A78466D748E3069593
                                                                        SHA-256:EB377D71C2B3470B08011992990098219B5FAE7077104F5819C3615B1FB7545D
                                                                        SHA-512:70EB91B800C7BA058536FF2CEEC2C041473A1A0222EEB6682373E67464AF18E5CA95A5D9550A4EF5F0E6CE8F804C9AF7B9D78676484B0D1822F0D87986CD3151
                                                                        Malicious:false
                                                                        Preview: MDMP....... .......+.za.........................................-..........T.......8...........T...............(...........0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER41C1.tmp.dmp
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:20 2021, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):46344
                                                                        Entropy (8bit):2.0980430418663416
                                                                        Encrypted:false
                                                                        SSDEEP:192:xAwTNgwFnm2O5Skby+/QUjrxXkHjQm168lOs67uI+XnxH:BTS5LbydqXuX967uNB
                                                                        MD5:9166A0C57EA401C40279942ECBE4962B
                                                                        SHA1:79B6D015AF7E4022EC3E4DCD399794947461D3D2
                                                                        SHA-256:0556A7F7D118E536AE09FAB5E501FE92988ACD20B968CC0CDF9B597CBB337ACD
                                                                        SHA-512:68B1F9AC3A6D0E60EFF247C9637F7F3C3461589D01A852F7940F24FECD6DBF939AAC00C8C35E884BECBB5F6B11F4EA5332707E18E7957ED5B3BCA7AF0DF985B5
                                                                        Malicious:false
                                                                        Preview: MDMP....... .......0.za.........................................-..........T.......8...........T...............x...........0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER524C.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8336
                                                                        Entropy (8bit):3.6976470102343444
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNia26RGfk/6Ypk6UGgmfT5SOCprM89b+gsfH7AKm:RrlsNij6Yk/6Y66UGgmfT5Sf+zfHY
                                                                        MD5:41685C54F4CDB54041A01238ED37A234
                                                                        SHA1:6D69DDB1AC93E29704C61D63334E15F800AFB298
                                                                        SHA-256:39EDE2DC7B4F2602C4063FA459B5A5C2E258892F527E5A6ED96BEFB25F756CF0
                                                                        SHA-512:9134F3D499E4ED24D565878B00C449346D7F364425E852EC120AB0B6B9308E72F73B1DC793CB52EBB2AD349AE8AE65FF8F5CE8904C060CC9681990CC23757933
                                                                        Malicious:false
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER575E.tmp.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4700
                                                                        Entropy (8bit):4.504328157835534
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zsiJgtWI9SCrWSC8Bv8fm8M4JCdsPF2/H+q8/hNU4SrSWd:uITfwBCaSNaJmjDWWd
                                                                        MD5:ACB43C10C671E9BE172B578068D0E298
                                                                        SHA1:CCE46738C7513524BB0C746C0D5F12D4ACBD380C
                                                                        SHA-256:40F51E7D47C7C3B99C00453ED5CA3A3619E749BEB441299A505E7271469A22FF
                                                                        SHA-512:E2422ED8BD2B0D0E5B8266D586C46C87E51AA322D660C9F5D4D5F7AB59191F9E59167F73F86D6509CB35E1DE6EC3C6696F4AF3F2C3A2FEBED8868B241498C05B
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229583" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B55.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8336
                                                                        Entropy (8bit):3.696536986814097
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNiDR6HfXe6Ypl6UGgmfTYSOCpr289bFasf+Xm:RrlsNiV6m6Yb6UGgmfTYSZF5ff
                                                                        MD5:9E19BA093FECC4B050823625C7FAF9B8
                                                                        SHA1:07C2AE77903973666D4452B613416C7AF1B44907
                                                                        SHA-256:0E02ECD9D6168DAE822C1EB0C45D24B86974FFD5A721A17FC1BA9D86A9CDB3AD
                                                                        SHA-512:2D5DA57A9BA34EF5431E99F2D40BBE0ADCC67045AB5C130E22EC70B3EDCA0402DB0AA435C93B2A6BF019AAE30334D3333684C927323AF9472FECF3398EDDD0B3
                                                                        Malicious:false
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C2E.tmp.dmp
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:25 2021, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):42904
                                                                        Entropy (8bit):2.2176430681154145
                                                                        Encrypted:false
                                                                        SSDEEP:192:EwJoTNgYoGjO5SkbG33eExZZUKZ036wX4wOeA2BKtsdYnu:ye55LbGOw036qCeA22u
                                                                        MD5:F1B70EC3886F544E53F61634D143AAF5
                                                                        SHA1:82B02996B6927E98B3B7FA4D8221B4A3B4281922
                                                                        SHA-256:197A27AEF881D9AA396CDD7CE67CF2393A83F93F719E52444A0E4B9996A14CD6
                                                                        SHA-512:2F940679FB60F1634DA72800B6AF1863C72D791C72F571BDF583D7FF378B499EC4B5AE67C4F28A2020083A4DB423D5E0B2FDAFA7BF4E9A39997E950D74603EEC
                                                                        Malicious:false
                                                                        Preview: MDMP....... .......5.za.........................................-..........T.......8...........T..........................0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER61FD.tmp.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4700
                                                                        Entropy (8bit):4.50513207131416
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zsjJgtWI9SCrWSC8BL8fm8M4JCdsCF3+q8/hxJ4SrSzd:uITf9BCaSNSJS+DWzd
                                                                        MD5:62DB1090DC907F046049B3D174C72850
                                                                        SHA1:B86FA95A97F742D777422258AE0DC34EE709AA84
                                                                        SHA-256:0DAD5DE5E468354CF7FC4D1B56604E607AE3F22C969CEA8D91E6284A8DFA4AEB
                                                                        SHA-512:8601725E29A34E25CF9AADDA7E5392CF6098C0B90B783D1542A58A764E760C886F55038A90A02EA4A0ACC2DB1786DA515485485E8398D825A94514C202786ED4
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER716D.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8338
                                                                        Entropy (8bit):3.6979926180722007
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNigj96j86Ypk6UGgmfT3SOCprJ89bTYsf1xm:RrlsNiK9646Y66UGgmfT3SgTLfa
                                                                        MD5:513A869F0DF8F62CD0DCAA506841CB38
                                                                        SHA1:79DB8DD1D5B2EC5A6626721F2524C0726234D07A
                                                                        SHA-256:FFE0C86992CB2BCCE3EBFADC66D0949BF3F3A970AA1EE96CAFBF13D467863FE0
                                                                        SHA-512:7E92BC808B44034F2AC3A1B67998AEA34B758AB2D07CBE00CCAF06142A6186DCCB7F46289A499ACCBDF904339F104F4254F08A0690BD59ABA95AE0088147724D
                                                                        Malicious:false
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.2.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7650.tmp.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4700
                                                                        Entropy (8bit):4.506054323545336
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zsjJgtWI9SCrWSC8BP8fm8M4JCds7F2J+q8/haD4SrSh6d:uITf9BCaSN+JqnDDWh6d
                                                                        MD5:FFF9E77B6F3D1786A8A9DA10BAD0AF11
                                                                        SHA1:34A1EDD1AE0072362AE28415F12A7337149C04CA
                                                                        SHA-256:216D954D69EB38411EA005440CEF5C372F556E6511CEB2652D32858D8FC7C8A9
                                                                        SHA-512:24843BC93AAFDB91149990A3295A46ED7FFA1165A9FD3A7A30D6B08F83D7ED16751227F92974BB4AFE1A0569D2BC464AEDDECECB285C92EC7B40FDDE2D06EA8F
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F66.tmp.dmp
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:33 2021, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):46780
                                                                        Entropy (8bit):2.080780581834969
                                                                        Encrypted:false
                                                                        SSDEEP:192:cm8v3TNgd6VO5SkbQTsY6/X35vbstTk7fysRvPZ9UuyjMUbXn:sh/45Lbest35vETk7fysRvh9UuyZ
                                                                        MD5:3252341FA4E6AAA340C86BE569B9B887
                                                                        SHA1:396413E0DF4DA5C36E2C8A2F27EB9B923BEBFD5D
                                                                        SHA-256:4235090E7060960CAEEDA542366BE61213CBEA65231CA0010CA88B3DA96091EB
                                                                        SHA-512:0DC5105CB2A5B95C823C647CF1ED4928D685CE823F7E45DA787B9CB5ED58E81291A6F538EED3421E517081218F46F42C6D36CEE2C1EB4DDD2B7BD7731AADD553
                                                                        Malicious:false
                                                                        Preview: MDMP....... .......=.za.........................................-..........T.......8...........T..........................0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9168.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8338
                                                                        Entropy (8bit):3.6972286046051592
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNilB6q86YpH26UGgmfTDSOCprRV89b7Csfwpm:RrlsNiD6h6Y46UGgmfTDSHC7Bfj
                                                                        MD5:35FE3F27DCF32FE4EC829F835278479E
                                                                        SHA1:D89F2546047CDDC57935D5DD124C03DCA162FB7F
                                                                        SHA-256:D412817C9BB092531DD5F4FE42AAF432F9AC71F9CDB5FBEAF0F740B040404182
                                                                        SHA-512:78F1F02C2DCFF470D48C3B5A2BFB4E6511E6B5E497BCC666CB4B05319B507B7761E7F8DE89B62C8D914413F651445A807A2313AE64E0B4226BEE383619E476BA
                                                                        Malicious:false
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.4.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D2.tmp.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4700
                                                                        Entropy (8bit):4.504516774345163
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zsjJgtWI9SCrWSC8Bys8fm8M4JCdsbFx+q8/h94SrSld:uITf9BCaSN8RJdYDWld
                                                                        MD5:727815519B03DAD3AF59D1F6118DB2A9
                                                                        SHA1:602837B2F4405F5ADB8C4CC82533B4BF068EB29D
                                                                        SHA-256:FB3093C323633B6C1A0CE189BE47004145EFCF055F0CFC0F9F1E2F0E9832F311
                                                                        SHA-512:9546B2871F163E4A55F0D28C3345C134937916AB5763B308DABF8FD91B843815B22E09EADCDEA3665EA6B4BF4EDADA7BF729AEAF5EA5F8FFAE8D192FE1929936
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\Windows\appcompat\Programs\Amcache.hve
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                        Category:dropped
                                                                        Size (bytes):1572864
                                                                        Entropy (8bit):4.219812702838393
                                                                        Encrypted:false
                                                                        SSDEEP:12288:tmJcDpPaXSu5Pl5b9He4JpjoNPKHQh/GRH66BmjW0I2nej3Pq47Dw6:4JcDpPaXSu9l5bf+Ym/e
                                                                        MD5:B614A3B1ECD297D659BE03B0AB7C45B3
                                                                        SHA1:889FBB8C0D61ADE8295658FB48DF3E88513F028E
                                                                        SHA-256:A9F980CEF056EC64C47CF7B8CE374F1551D1BA94A263ED1F72B604B209CC83A4
                                                                        SHA-512:140296B1DE41CAEB366D0ECFAB17C43682411FB1ED7C37C4A514A6944330E4EF9115A81EAF1E1C3E88C635064BEFB785C8836B373CAB93E539BC056647574DAF
                                                                        Malicious:false
                                                                        Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN..`.................................................................................................................................................................................................................................................................................................................................................-.=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):3.527735715021905
                                                                        Encrypted:false
                                                                        SSDEEP:384:1/FEP54XnIrnc83XTVgGQXK0XBmnQmRNovOglb:NFEx43Ac83DVgGQa0X8nQmUvP
                                                                        MD5:298C01B000B90A25B63089430DFCCF86
                                                                        SHA1:AD0E9DD2A27ADCB4619FBED9AFA634A93FBFF4D6
                                                                        SHA-256:368BFE7355199AC75CC44744FF406D8DCD3B48BF8424E55B76B6DC4ABBC230D3
                                                                        SHA-512:263A9564D1B4E3003B090EC264A2E260B4DA58DF17190332CA2DD7CFFD476BD7DC204AB2BF7A4E946C352F3DC07CBD0A261FA7D122470CFA7394CEF3D5D7EBE6
                                                                        Malicious:false
                                                                        Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN..`.................................................................................................................................................................................................................................................................................................................................................-.=HvLE.N......U.............!......6>G.YK.................`... ..hbin................p.\..,..........nk,.M..`.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .M..`........ ........................... .......Z.......................Root........lf......Root....nk .M..`.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.159938943426644
                                                                        TrID:
                                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                                        • DOS Executable Generic (2002/1) 0.20%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                                                                        File size:1093632
                                                                        MD5:e53a16bea7918b1f7d4c0e659febc766
                                                                        SHA1:10d4d3d7fac35f6492cda2fb04aebf46903481f0
                                                                        SHA256:212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
                                                                        SHA512:014561ee3d96f09222cb1187c8b0a785e59e2d7dd1d3bec234088c2c382da693acc5cee4b21252462939574c1c666da8f09e45161b0856b0b413f7b687567eb5
                                                                        SSDEEP:24576:ljsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciL:+
                                                                        File Content Preview:MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p.....

                                                                        File Icon

                                                                        Icon Hash:74f0e4ecccdce0e4

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x10004b90
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x10000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x61798526 [Wed Oct 27 16:58:14 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:0
                                                                        File Version Major:5
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:ae858e1bcf44b240b65263bbd6945db2

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        mov eax, dword ptr [10106128h]
                                                                        call eax
                                                                        mov edx, eax
                                                                        ret
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push ebx
                                                                        push edi
                                                                        push esi
                                                                        and esp, FFFFFFF8h
                                                                        sub esp, 000000A8h
                                                                        mov eax, dword ptr [ebp+08h]
                                                                        mov dword ptr [esp+0000009Ch], 008A6C3Fh
                                                                        mov byte ptr [esp+00000083h], 00000072h
                                                                        mov dword ptr [esp+6Ch], 6C57D91Ch
                                                                        mov dword ptr [esp+00000094h], 00000000h
                                                                        mov dword ptr [esp+00000090h], 0093F6B2h
                                                                        mov ecx, dword ptr [ebp+08h]
                                                                        mov edx, esp
                                                                        mov dword ptr [edx], ecx
                                                                        mov dword ptr [esp+38h], eax
                                                                        call 00007F6E60CABA82h
                                                                        movzx ecx, word ptr [esp+000000A2h]
                                                                        mov si, cx
                                                                        mov word ptr [esp+000000A2h], B4E5h
                                                                        mov byte ptr [esp+37h], al
                                                                        mov dword ptr [esp+30h], ecx
                                                                        mov word ptr [esp+2Eh], si
                                                                        call 00007F6E60CABDFBh
                                                                        mov ecx, dword ptr [esp+0000008Ch]
                                                                        mov edx, ecx
                                                                        add edx, DE3924BAh
                                                                        mov dword ptr [esp+0000008Ch], edx
                                                                        mov dword ptr [esp+70h], eax
                                                                        mov eax, dword ptr [esp+30h]
                                                                        add eax, eax
                                                                        mov si, ax
                                                                        mov word ptr [esp+000000A2h], si
                                                                        mov eax, dword ptr [esp+70h]
                                                                        mov edx, dword ptr [esp+00000090h]
                                                                        mov edi, dword ptr [esp+00000094h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xfad600x5f.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xfae3c0xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1080000x3e8.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x2a38.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x705c0x38.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x44.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x5dfe0x6000False0.379720052083data4.39803113711IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000xf40320xf5000False0.135154257015data7.11996019927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xfc0000xbd1c0xb000False0.234153053977data5.69509557044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x1080000x3e80x1000False0.119873046875data1.03136554304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x1090000x2a380x3000False0.231608072917data5.67874721692IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0x1080600x388data

                                                                        Imports

                                                                        DLLImport
                                                                        SHELL32.dllSHGetDesktopFolder
                                                                        IPHLPAPI.DLLGetIfTable
                                                                        ADVAPI32.dllRegOverridePredefKey
                                                                        msvcrt.dllmemset
                                                                        OLEAUT32.dllVarR4FromI2
                                                                        KERNEL32.dllCreateFileW, GetModuleFileNameW
                                                                        SETUPAPI.dllSetupDiEnumDeviceInfo
                                                                        USER32.dllShowOwnedPopups

                                                                        Exports

                                                                        NameOrdinalAddress
                                                                        FFRgpmdlwwWde10x100fadb0

                                                                        Version Infos

                                                                        DescriptionData
                                                                        LegalCopyrightCopyright 2004
                                                                        InternalNameddlb
                                                                        FileVersion5.2.00.0
                                                                        Full Version5.2.0_00-b00
                                                                        CompanyNameSun Microsystems, Inc.
                                                                        ProductNameDdlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6
                                                                        ProductVersion5.2.00.0
                                                                        FileDescriptionJava(TM) 2 Platform Standard Edition binary
                                                                        OriginalFilenameddlb.dll
                                                                        Translation0x0000 0x04b0

                                                                        Network Behavior

                                                                        No network behavior found

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: loaddll32.exe PID: 6476 Parent PID: 5820

                                                                        General

                                                                        Start time:04:50:24
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\System32\loaddll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
                                                                        Imagebase:0xa10000
                                                                        File size:893440 bytes
                                                                        MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000000.523799622.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 6500 Parent PID: 6476

                                                                        General

                                                                        Start time:04:50:25
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                                                                        Imagebase:0x2a0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 6528 Parent PID: 6476

                                                                        General

                                                                        Start time:04:50:25
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.475579943.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 6544 Parent PID: 6500

                                                                        General

                                                                        Start time:04:50:25
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 7080 Parent PID: 6476

                                                                        General

                                                                        Start time:04:51:42
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.874852641.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 7088 Parent PID: 6476

                                                                        General

                                                                        Start time:04:51:43
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.697948285.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.716630933.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.758018244.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 7100 Parent PID: 6476

                                                                        General

                                                                        Start time:04:51:43
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.722717692.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.759412743.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 7112 Parent PID: 6476

                                                                        General

                                                                        Start time:04:51:43
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.715578502.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.709098090.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 7124 Parent PID: 6476

                                                                        General

                                                                        Start time:04:51:43
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
                                                                        Imagebase:0xf0000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: WerFault.exe PID: 5056 Parent PID: 7088

                                                                        General

                                                                        Start time:04:53:08
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 1312 Parent PID: 7100

                                                                        General

                                                                        Start time:04:53:12
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 1768 Parent PID: 7112

                                                                        General

                                                                        Start time:04:53:16
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 5452 Parent PID: 7112

                                                                        General

                                                                        Start time:04:53:21
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 5588 Parent PID: 7088

                                                                        General

                                                                        Start time:04:53:21
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 5440 Parent PID: 7100

                                                                        General

                                                                        Start time:04:53:25
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 1536 Parent PID: 7124

                                                                        General

                                                                        Start time:04:53:28
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: WerFault.exe PID: 5016 Parent PID: 7124

                                                                        General

                                                                        Start time:04:53:29
                                                                        Start date:28/10/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
                                                                        Imagebase:0x80000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >