Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Analysis ID:	510694
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Found detection on Joe Sandbox Cloud Basic with higher score

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Signatures

AV Detection:

Found malware configuration

Source: 12.0.rundll32.exe.6e9e0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.2.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.3220000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.9c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.6b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.4f34756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.690000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.690000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.920000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.dd4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.9c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.2554756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.4c64756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.b54756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.b90000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.0.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.3d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: loaddll32.exe, 00000000.00000000.686735544.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412402180.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.693068558.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.634648052.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.621361116.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.687762853.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.683488441.000000006E9FF000.00000002.00020000.sdmp

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000000.684965653.000000000098B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.666915392.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.692811464.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.630165009.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.412312975.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.686620423.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.642318739.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.620992103.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.610084790.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.659636393.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.654050879.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.687730478.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.682477446.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.653718345.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.653774914.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.683460659.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F0754	4_2_6E9F0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F9348	4_2_6E9F9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E1494	4_2_6E9E1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E846C	4_2_6E9E846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1460	4_2_6E9F1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EA52C	4_2_6E9EA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1D58	4_2_6E9F1D58

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F223C NtDelayExecution,	4_2_6E9F223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F2840 NtAllocateVirtualMemory,	4_2_6E9F2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EBB88 NtClose,	4_2_6E9EBB88

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3192
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6256
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6488

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@33/17@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9EF6CC push esi; mov dword ptr [esp], 00000000h

4_2_6E9EF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 453

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_6E9F0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9E6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E9E6D50

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F3110 RtlAddVectoredExceptionHandler,

4_2_6E9F3110

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E9E6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E9E6D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

Private

IP
192.168.2.1

AV Detection:

Found malware configuration

Source: 12.0.rundll32.exe.6e9e0000.2.unpack

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.2.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.3220000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.9c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.6b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.4f34756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.690000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.690000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.920000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.dd4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.9c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.2554756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.4c64756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.b54756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.b90000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.0.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.3d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000000.684965653.000000000098B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.666915392.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.692811464.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.630165009.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.412312975.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.686620423.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.642318739.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.620992103.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.610084790.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.659636393.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.654050879.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.687730478.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.682477446.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.653718345.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.653774914.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.683460659.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Uses 32bit PE files

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F0754	4_2_6E9F0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F9348	4_2_6E9F9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E1494	4_2_6E9E1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E846C	4_2_6E9E846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1460	4_2_6E9F1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EA52C	4_2_6E9EA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1D58	4_2_6E9F1D58

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F223C NtDelayExecution,	4_2_6E9F223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F2840 NtAllocateVirtualMemory,	4_2_6E9F2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EBB88 NtClose,	4_2_6E9EBB88

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3192
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6256
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6488

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@33/17@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9EF6CC push esi; mov dword ptr [esp], 00000000h

4_2_6E9EF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 453

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_6E9F0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E9E6D50

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F3110 RtlAddVectoredExceptionHandler,

4_2_6E9F3110

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E9E6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E9E6D50

ID:	510694
Product:	CloudBasic
Start time:	05:14:26
Start date:	28.10.2021
Sample:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2d53275b1be4ca5e6593e323a54ecdeda8efe761_82810a17_15a172f5\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	578308542CFF74025D18BA29948DD74B	A84361FD63C6FD29AB2DAE72F7DBD20C8624DF14	D9D391B23E0675EB99EFFD0963522FC3704D1FC2DBAE1D74DD2F510AEFDB6637
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4eea1987c3498f452f209a432782d7d6bd992397_82810a17_1259968a\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	0CECBA5DE8275CBFC21886A6EA1712B2	3F021FD464047D4674988A545F270B7DF2EABA39	CED54CC38A6B5392AC7108A930B63CC0D077FD529AA284AD9BD95C520E0DB829
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86cc7caaf91494aa6af1cec8da5ba37782e9_82810a17_1811a30d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	92FF5D41081D17BEBC3CFD94F9416872	09CEF1AAB65B50DDD539F6D9C3E8EC28F1495458	435D2B7674BB1372AB5FD3621728D4A8AA926F9C827B25B610BFFDAA6939D238
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e9d070cbac24d3d3fafff9232a9e7f59cde72c2_82810a17_0d31a2af\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	C853E9F6E9151D536844FA09C6F06ED7	B9FF0441C6BD6695BB35B9E0CE1E43DB314E0D62	530E6EBC0BE0BD69F58C04D0705BAD872C0E6CB6935A20173A9AE5E33D6A2BAB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:17:57 2021, 0x1205a4 type	0C6446CD7314BCE39CAFF7E07F705974	42B562C283A3DCBCCDD51D4189E8E943E96E7BF1	7651F87690CA9C55340A89C07D523A7C4D1BE8ECF29D59D79241DC6B98B3B3AF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A52.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	7B3D672F40F4C181D8E4B900C5FA5EB9	1947A8561DE745A0D9715971C39598E5D4A4331A	DA9A98555A99704089482C6BE68BFBC9420103235E63802ADFC608F9CB21378C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F06.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	BA65FDD0C2C517B931D1E47ECAFBFAE8	947CDC89286B8C5C86D3BD974E0E20CCDA818944	7484C0BA66E226962F8F351B547980000396151BD5E0DA8AE4CF2E07690CE35D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5897.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:11 2021, 0x1205a4 type	CA0A2D2967E6849F08BED8BC52938CEA	83E08A274FCF2F940A966BF01DEE2B41A0824F20	84FB5C381DD37BC2BBD6DC4031EBC7F10A8CAEF98A5027757BE85D14E167932E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AF8.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:12 2021, 0x1205a4 type	284EF73EC946D91A1D66B5A66E7E2597	6DBBB2155A4E195D1CACEC127F951DF8653BF6E0	37C437EB8E448CE989F938C604B50CA6BA1DB628D5F74135A9BF410A273AA82E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6170.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:14 2021, 0x1205a4 type	42B6B2C1003C52A64C49BBC9899A0389	07EE4EEDC32042C1A2B65A213BFF0C775F87DBF4	872CBDA9AA966397C8EF26A62E9FE50E90D7DBEAA3F2049F4C7783F857B45E48
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DB6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	09585E8AC18CA1B0033EB262AE925DB4	0D9CAE7B9D173E5A43F988595B30E74C2F269522	28A7B5BA3336E9D5132C0F7EF1244964706E503A20BD5D0A1C954542DE910360
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7131.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DA7904AF1ABA14728E1D939F23AF1AF9	50CCE2696E5CA67733E022D9D55BEE72F474BD1C	1F13D44F837F94CE8B71AC1C059EC4EC944B5B6D64C7A8CCB60DA8F13E4559AF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER768F.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DC7F527257F91360B545730F06FAABCD	70A3604AAC6ABF2C968C7D6579D303B4C7C92599	F396415ED5717A6005EC6853B6D48554EF93C3102BDBF76D3F1B71C21691A43F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D28.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	907F392A9030B8289FE729AAE7A3CE6B	BB8D390E1D325114C2FEB4578A0615168FF90EAB	A4D890A2AFC57D53CC57E8E0E89014B1FC8A37A3E3B1F4065BA92A05EC842205
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D94.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	012C49EB65729BE5D6DABA5A8179BFDC	371270CCC6F15E68668A31D1DB2A6A8F8414B8A5	9888583FB03961D1B1306D844728D035899C7B0AEF6CE125E4CAD727E8EDD8C8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81DB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	43FEBBFD677E2C67D87CDD3A92A3E8FA	42CC666DBF0EB7A36CD884D5999491D6C3C449D8	D00A459F2A8228DB9D57CA7EFEFBE9740224EA7A94D577176557BDEB6BE8417F
C:\Users\user\AppData\Local\Temp\WERDE3.tmp.WERDataCollectionStatus.txt	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	39F254F5A4E96785B1604BB50699C1F8	D973C28A1868F1930451DCC95BC7469098BDAAD2	8F10F8E17D8EB791E53D5812533CB1BFE6C359BF02320CF465A685ACCFE9F256

Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private