Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994

Overview

General Information

Sample Name:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994 (renamed file extension from 20994 to dll)
Analysis ID:	510694
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 18.0.rundll32.exe.6e6a0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 18.0.rundll32.exe.e14756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.e14756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.d00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.2ed0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.32c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.32c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.rundll32.exe.924756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.aa0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.b74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.rundll32.exe.7e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.6d0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.4be4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.d00000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.2f70000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.2f70000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.6d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.46f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.2.rundll32.exe.4be4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.rundll32.exe.a74756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.2ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.924756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.rundll32.exe.e14756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.rundll32.exe.a40000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.d00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.da4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.4be4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.rundll32.exe.6d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.7e0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.a74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.rundll32.exe.7e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.a74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.2.rundll32.exe.2ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.924756.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000002.00000000.372947346.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.788037671.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.783656475.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.590519349.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.648053917.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.656671241.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.627581244.000000006E6BF000.00000002.00020000.sdmp	String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 18.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.656454233.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.616956626.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782709199.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.620998702.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.589866381.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.613137054.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.626977254.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.629341225.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.614575496.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.662473761.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.372438457.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.647541343.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.787987512.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.624037137.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.607704722.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B0754	3_2_6E6B0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B9348	3_2_6E6B9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6A846C	3_2_6E6A846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B1460	3_2_6E6B1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6A1494	3_2_6E6A1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B1D58	3_2_6E6B1D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6AA52C	3_2_6E6AA52C

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B223C NtDelayExecution,	3_2_6E6B223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B2840 NtAllocateVirtualMemory,	3_2_6E6B2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6ABB88 NtClose,	3_2_6E6ABB88

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6040
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5012
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess480
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5836

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA484.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@33/18@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6AF6CC push esi; mov dword ptr [esp], 00000000h

3_2_6E6AF6CD

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1130

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 784

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6B0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

3_2_6E6B0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6A6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E6A6D50

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6B3110 RtlAddVectoredExceptionHandler,

3_2_6E6B3110

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664	Jump to behavior

Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E6A6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E6A6D50

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.26.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

Private

IP
192.168.2.1

AV Detection:

Found malware configuration

Source: 18.0.rundll32.exe.6e6a0000.2.unpack

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 18.0.rundll32.exe.e14756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.e14756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.d00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.2ed0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.32c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.32c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.rundll32.exe.924756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.aa0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.b74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.rundll32.exe.7e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.6d0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.4be4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.d00000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.2f70000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.0.rundll32.exe.2f70000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.6d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.46f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.2.rundll32.exe.4be4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.rundll32.exe.a74756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.2ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.924756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.rundll32.exe.e14756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.rundll32.exe.a40000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.d00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.da4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.4be4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.rundll32.exe.6d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.7e0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.a74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.rundll32.exe.7e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.a74756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.2.rundll32.exe.2ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.0.rundll32.exe.924756.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000002.00000000.372947346.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.788037671.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.783656475.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.590519349.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.648053917.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.656671241.000000006E6BF000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.627581244.000000006E6BF000.00000002.00020000.sdmp	String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 18.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.rundll32.exe.6e6a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e6a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.656454233.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.616956626.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782709199.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.620998702.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.589866381.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.613137054.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.626977254.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.629341225.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.614575496.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.662473761.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.372438457.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.647541343.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.787987512.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.624037137.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.607704722.000000006E6A1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B0754	3_2_6E6B0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B9348	3_2_6E6B9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6A846C	3_2_6E6A846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B1460	3_2_6E6B1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6A1494	3_2_6E6A1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B1D58	3_2_6E6B1D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6AA52C	3_2_6E6AA52C

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B223C NtDelayExecution,	3_2_6E6B223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6B2840 NtAllocateVirtualMemory,	3_2_6E6B2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6ABB88 NtClose,	3_2_6E6ABB88

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6040
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5012
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess480
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5836

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA484.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@33/18@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.355559379.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.584109986.000000004B280000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6AF6CC push esi; mov dword ptr [esp], 00000000h

3_2_6E6AF6CD

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1130

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 784

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6B0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

3_2_6E6B0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E6A6D50

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E6B3110 RtlAddVectoredExceptionHandler,

3_2_6E6B3110

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 664	Jump to behavior

Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.381298526.00000000036C0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.787706050.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.781762058.0000000003210000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000000.609820814.0000000002E80000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.591349381.0000000003700000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.623765372.0000000003010000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.613545093.0000000003360000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E6A6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E6A6D50

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.26.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

ID:	510694
Product:	CloudBasic
Start time:	05:03:00
Start date:	28.10.2021
Sample:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2d53275b1be4ca5e6593e323a54ecdeda8efe761_82810a17_08414ede\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A6DA4BED5F8CE2330F7B159E656E0E7F	398876C9365ACC4B9C85337593C1F32F8AD7FFED	5D219DB98224294451C144ECEE172E42D235C0F1AA3E441673648C8091ADE80C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4eea1987c3498f452f209a432782d7d6bd992397_82810a17_1254e5b4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	986D6E8C397DA1BF6B12360C9C30BC6E	9E79BF5AEAD3F5DC92195FB87A3B9242A6302612	6750A142CE274499987CEC5152D87C8F71AD368A993C33AC49E3FA4B00999C5A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86cc7caaf91494aa6af1cec8da5ba37782e9_82810a17_056916a7\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	474BB9CDDC0237DEC31BD8FB2803FC49	2C416606C4090AC0BFEFACE522C6A41DD8BE2017	984F09474825582E0141A2A0ABD6D1F3BAB79D9DB8616861B0FD528563F0605A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e9d070cbac24d3d3fafff9232a9e7f59cde72c2_82810a17_15f10225\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	890F72CB60412E41580851AD3ED63CCD	0C45ABFAC0526E1C50ED258DF4B9C7F9D1A50FF3	F5E460CA09184DFE30831F094F2CB83D68F6FE4A38CE78C083EA6607910E8C53
C:\ProgramData\Microsoft\Windows\WER\Temp\WER199.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	75246DE0CBB10BBA12644D8FCF1259C6	24239B6301385750F71D495E1430419592F0222E	888F9F2B510BD86627D151CD2EB767922C22CF59C173662D4AF9B6B70DE6B528
C:\ProgramData\Microsoft\Windows\WER\Temp\WER544.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	84CE2FB6533DB345BE13DA78FA03CFF4	65211C1EDE51F3E6E1ABE5653A0B0744AF942F56	2959C1CF07700549AFC2DEEF60F12196F998B76008F42E773697D6B3A019130D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA484.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:06:46 2021, 0x1205a4 type	9964AFF142D540AAD8A86FB513E85B10	D2798AECF25C0F2F693D59C78EF3F5466E8BC196	764E5177568A5FED87245F8C7C6E79F37B84E6BEDDBAB6CAEAA250741E926ADE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5AB.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:06:48 2021, 0x1205a4 type	1DE7E1D7A72C91C41B9C6C7CBAC73D20	E210EE3641A966FCA74852ADDE2EE166FFD10679	3DCC9C67DFB1D09C0C6E4FF4E300AE2EE0300CB1E60BA4B591DDA2695C5F195A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBADC.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	ABEC197496892BF26395FA2DBB63D562	5ACDA78DEBAE03F9C0DFAED4C41FA9379558B6A4	0E3CF49C64B61DB0B51CCA147705D5577C7D21BE7811B61BF7A9519EA3DE598E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF32.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E6A1B6AAF505DF2217F5F8F77D35CEBF	CC24A048D359F0D065884759703302E894BA88F9	DF94D76B9E927036C41E05BE9F35B2D007C027BA2655033E8A515A2C11C25211
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1D0.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:06:51 2021, 0x1205a4 type	431757921466C2E76AD42CB41F792151	B1C98FC8CAC1306B24F23EE77064D8CB4A70B7A0	5A235521DC4F82D7221FD2777516DD25E29130CDC61A7326937B4DFF2C59A294
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6A6EF04CC121CC43AC1B82CDD0DD2A8A	FB9021BE8455E47FD6FE4C5851EB52C79556E1BC	DDD6F6F482B6A96D0FADA2E4FFD40548523FC3762E4C821EA2AF9EF6D7695EF9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC83B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	276C7379193CACB66CE31EC3CFE744EB	C0AF75A8A3E5C76B3462BEB232F52714EDA0C9B7	3BDDD2CAF6310AB6EA7DA81D01468F6CB9E80475B1D7E875B447747489723901
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1A0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	C849DD61B025C83CA21AC3B89FDCC796	36338DBB58EDB666937DC327C373FE6422EB80A8	5B236CAE14C478B608FA552439FC6A0B428BB1216978B846E0A45646D9A63517
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD683.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EA1BAE40796FE3F902D35562DC7096D8	CB3C4218DEC2E8977E158A9FF55A9FD80B759E85	E48777A5A181B31692C647827C6ABAA664E25CC974D781B148C5F9A9186545D9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5F2.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:07:04 2021, 0x1205a4 type	6356E291F00FDD4A65134D4717E19796	017FC64B6D14E3F84E17884A310844D9E4E78EEC	AD912702D31F2586510E2B569FD2B77D17A3B3AEB2B9832DA4A47BF3C791F0A3
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	DD2F0F9AA989EEDF0A78397A3DB52094	D8954E896CE62DCE45AD694F4E256D1B35F47CD3	E4B0A27BE2BA75F81CC8F699541AEFE080F97A7F34D407CC52C7C0EAEAC16A73
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	753EBE8EAC65C84CAE8A55F8402BECB6	3F21B41D43045A800F173D873BB96AE6FCF69588	6AF913BB20BDE9A24DD47A31BEB69DB0B245919852816C80744E1A89BB5AB677

Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.20994

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private