Windows Analysis Report
x64.dll

Overview

General Information

Sample Name: x64.dll
Analysis ID: 608207
MD5: 66ac9a127ebb19f915987c31cf67d8d3
SHA1: b90e008f65d129cd9ade9aa24a9e046d727ff3f6
SHA256: 94c0cedd61450d24b1195538edcd623b734749553680a42b5b64bc6194c2126a
Tags: 64exe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: x64.dll Virustotal: Detection: 47% Perma Link
Source: x64.dll Metadefender: Detection: 37% Perma Link
Source: x64.dll ReversingLabs: Detection: 78%
Source: x64.dll Avira: detected
Source: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp Avira: detection malicious, Label: HEUR/AGEN.1207422
Source: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp Avira: detection malicious, Label: HEUR/AGEN.1207422
Source: x64.dll Joe Sandbox ML: detected
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C524E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset, 31_2_00007FF6C524E64C
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C524E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError, 31_2_00007FF6C524E934
Source: x64.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: mdmappinstaller.pdbGCTL source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
Source: Binary string: WerMgr.pdb source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source: Binary string: sgI.pdb source: x64.dll, NAmADA4.tmp.5.dr, KHNE9A4.tmp.5.dr
Source: Binary string: WerMgr.pdbGCTL source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source: Binary string: mdmappinstaller.pdb source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140049724 FindFirstFileExW, 1_2_0000000140049724
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 24_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 24_2_00007FF7E438BE54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 28_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 28_2_00007FF7E438BE54

E-Banking Fraud

barindex
Source: Yara match File source: 3.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.MDMAppInstaller.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll64.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.611146050.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.421971716.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.604615787.0000000140001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.435584389.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.622884365.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.595393684.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.415891174.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.508980143.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.429395051.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\CCAL Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005284C 1_2_000000014005284C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048A4C 1_2_0000000140048A4C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140040370 1_2_0000000140040370
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400343E8 1_2_00000001400343E8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026C74 1_2_0000000140026C74
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F4D0 1_2_000000014004F4D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140049CE8 1_2_0000000140049CE8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004357C 1_2_000000014004357C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003DEEC 1_2_000000014003DEEC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036778 1_2_0000000140036778
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022004 1_2_0000000140022004
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140060014 1_2_0000000140060014
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024028 1_2_0000000140024028
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002782C 1_2_000000014002782C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E030 1_2_000000014002E030
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005582B 1_2_000000014005582B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034044 1_2_0000000140034044
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000F848 1_2_000000014000F848
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003D878 1_2_000000014003D878
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140020094 1_2_0000000140020094
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F8A4 1_2_000000014002F8A4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400280AC 1_2_00000001400280AC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F0AC 1_2_000000014004F0AC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400410B4 1_2_00000001400410B4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400150E4 1_2_00000001400150E4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140066100 1_2_0000000140066100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025100 1_2_0000000140025100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004D914 1_2_000000014004D914
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033124 1_2_0000000140033124
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032128 1_2_0000000140032128
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025930 1_2_0000000140025930
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005950 1_2_0000000140005950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004E954 1_2_000000014004E954
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001158 1_2_0000000140001158
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003796C 1_2_000000014003796C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140049980 1_2_0000000140049980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140039990 1_2_0000000140039990
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F198 1_2_000000014002F198
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400389A4 1_2_00000001400389A4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400099AC 1_2_00000001400099AC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400659F0 1_2_00000001400659F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EA1C 1_2_000000014002EA1C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140055A4D 1_2_0000000140055A4D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005A24C 1_2_000000014005A24C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001B250 1_2_000000014001B250
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001A78 1_2_0000000140001A78
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007284 1_2_0000000140007284
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140061283 1_2_0000000140061283
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140061A90 1_2_0000000140061A90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400642A0 1_2_00000001400642A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002DAA4 1_2_000000014002DAA4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140043AC0 1_2_0000000140043AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019AC4 1_2_0000000140019AC4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400512E0 1_2_00000001400512E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400162E0 1_2_00000001400162E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002BAEC 1_2_000000014002BAEC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006AEC 1_2_0000000140006AEC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063324 1_2_0000000140063324
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140013B64 1_2_0000000140013B64
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140055364 1_2_0000000140055364
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019378 1_2_0000000140019378
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140060B8C 1_2_0000000140060B8C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001A394 1_2_000000014001A394
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140008B94 1_2_0000000140008B94
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004BBBC 1_2_000000014004BBBC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140021BD8 1_2_0000000140021BD8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400243E0 1_2_00000001400243E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002B3F3 1_2_000000014002B3F3
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140004C0C 1_2_0000000140004C0C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002B429 1_2_000000014002B429
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140012474 1_2_0000000140012474
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000AC74 1_2_000000014000AC74
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140038478 1_2_0000000140038478
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004FC74 1_2_000000014004FC74
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002747C 1_2_000000014002747C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A4A4 1_2_000000014002A4A4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001B4AC 1_2_000000014001B4AC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004A4B0 1_2_000000014004A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063CB4 1_2_0000000140063CB4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F4B8 1_2_000000014002F4B8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140003CC4 1_2_0000000140003CC4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000ECD0 1_2_000000014000ECD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017CD4 1_2_0000000140017CD4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140044CD8 1_2_0000000140044CD8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004ECF8 1_2_000000014004ECF8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140042504 1_2_0000000140042504
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026534 1_2_0000000140026534
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AD38 1_2_000000014002AD38
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022D50 1_2_0000000140022D50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029550 1_2_0000000140029550
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140012D8C 1_2_0000000140012D8C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140051D90 1_2_0000000140051D90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006D94 1_2_0000000140006D94
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400515A0 1_2_00000001400515A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400285AC 1_2_00000001400285AC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031DCC 1_2_0000000140031DCC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400365D0 1_2_00000001400365D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400205D8 1_2_00000001400205D8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140011DE4 1_2_0000000140011DE4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004D5EC 1_2_000000014004D5EC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A60C 1_2_000000014003A60C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140021E1C 1_2_0000000140021E1C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023E1C 1_2_0000000140023E1C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004E628 1_2_000000014004E628
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004CE2C 1_2_000000014004CE2C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018638 1_2_0000000140018638
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140004E38 1_2_0000000140004E38
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140014644 1_2_0000000140014644
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EE48 1_2_000000014002EE48
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004A660 1_2_000000014004A660
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053670 1_2_0000000140053670
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003AE70 1_2_000000014003AE70
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031670 1_2_0000000140031670
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D694 1_2_000000014002D694
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036E98 1_2_0000000140036E98
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000D69C 1_2_000000014000D69C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140050EA8 1_2_0000000140050EA8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053EC0 1_2_0000000140053EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001BEC8 1_2_000000014001BEC8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400466C4 1_2_00000001400466C4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004EF0C 1_2_000000014004EF0C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017F40 1_2_0000000140017F40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001CF40 1_2_000000014001CF40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140041F3C 1_2_0000000140041F3C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032750 1_2_0000000140032750
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000578C 1_2_000000014000578C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400137A0 1_2_00000001400137A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400557A3 1_2_00000001400557A3
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001C7CC 1_2_000000014001C7CC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400027DC 1_2_00000001400027DC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030FE0 1_2_0000000140030FE0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438E368 24_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4382F54 24_2_00007FF7E4382F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438CFF0 24_2_00007FF7E438CFF0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4390A58 24_2_00007FF7E4390A58
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4392438 24_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4386848 24_2_00007FF7E4386848
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4387EFC 24_2_00007FF7E4387EFC
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E438E368 28_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4382F54 28_2_00007FF7E4382F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E438CFF0 28_2_00007FF7E438CFF0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4390A58 28_2_00007FF7E4390A58
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4392438 28_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4386848 28_2_00007FF7E4386848
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4387EFC 28_2_00007FF7E4387EFC
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5244648 31_2_00007FF6C5244648
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C52519D4 31_2_00007FF6C52519D4
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5249630 31_2_00007FF6C5249630
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C52549FF 31_2_00007FF6C52549FF
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C524E934 31_2_00007FF6C524E934
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5243FAC 31_2_00007FF6C5243FAC
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5246BDC 31_2_00007FF6C5246BDC
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: String function: 00007FF7E4385C24 appears 44 times
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: String function: 00007FF7E43845A8 appears 54 times
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: String function: 00007FF6C5246124 appears 108 times
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: String function: 00007FF6C5245F34 appears 75 times
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5249630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 31_2_00007FF6C5249630
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005284C NtQuerySystemInformation, 1_2_000000014005284C
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 24_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4391F54 NtQueryLicenseValue, 24_2_00007FF7E4391F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 24_2_00007FF7E4388404
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 24_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 24_2_00007FF7E43882EC
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 28_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4391F54 NtQueryLicenseValue, 28_2_00007FF7E4391F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 28_2_00007FF7E4388404
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 28_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 28_2_00007FF7E43882EC
Source: wermgr.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sfc_os.dll Jump to behavior
Source: x64.dll Static PE information: Number of sections : 17 > 10
Source: KHNE9A4.tmp.5.dr Static PE information: Number of sections : 18 > 10
Source: NAmADA4.tmp.5.dr Static PE information: Number of sections : 18 > 10
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
Source: x64.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KHNE9A4.tmp.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NAmADA4.tmp.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: x64.dll Virustotal: Detection: 47%
Source: x64.dll Metadefender: Detection: 37%
Source: x64.dll ReversingLabs: Detection: 78%
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\x64.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\CCAL\MDMAppInstaller.exe C:\Windows\system32\CCAL\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@52/10@0/0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4388F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize, 24_2_00007FF7E4388F2C
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor, 24_2_00007FF7E438DE98
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor, 28_2_00007FF7E438DE98
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4381A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle, 24_2_00007FF7E4381A70
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{41059e93-2e1b-cd9f-8d6b-afe9f069cb55}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{b9eeafb6-578e-5d2c-64c5-1ccbb1866e8a}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: x64.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: x64.dll Static file information: File size 1060864 > 1048576
Source: x64.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: mdmappinstaller.pdbGCTL source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
Source: Binary string: WerMgr.pdb source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source: Binary string: sgI.pdb source: x64.dll, NAmADA4.tmp.5.dr, KHNE9A4.tmp.5.dr
Source: Binary string: WerMgr.pdbGCTL source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source: Binary string: mdmappinstaller.pdb source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000022245A33055 push rbx; retf 1_2_0000022245A3305A
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000001F1DA323055 push rbx; retf 3_2_000001F1DA32305A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000022341CE3055 push rbx; retf 4_2_0000022341CE305A
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027E57583055 push rbx; retf 6_2_0000027E5758305A
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_0000025311A23055 push rbx; retf 8_2_0000025311A2305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_000001B48FD73055 push rbx; retf 24_2_000001B48FD7305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_000001A589C43055 push rbx; retf 28_2_000001A589C4305A
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_0000019891253055 push rbx; retf 31_2_000001989125305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 33_2_00000149ED6C3055 push rbx; retf 33_2_00000149ED6C305A
Source: x64.dll Static PE information: section name: .crt1
Source: x64.dll Static PE information: section name: qwTG
Source: x64.dll Static PE information: section name: .lqen
Source: x64.dll Static PE information: section name: .vqb
Source: x64.dll Static PE information: section name: .gjd
Source: x64.dll Static PE information: section name: .wqhqlp
Source: x64.dll Static PE information: section name: .jriz
Source: x64.dll Static PE information: section name: .ebkl
Source: x64.dll Static PE information: section name: .aoj
Source: x64.dll Static PE information: section name: .ncm
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .crt1
Source: KHNE9A4.tmp.5.dr Static PE information: section name: qwTG
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .lqen
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .vqb
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .gjd
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .wqhqlp
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .jriz
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .ebkl
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .aoj
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .ncm
Source: KHNE9A4.tmp.5.dr Static PE information: section name: .gqytqb
Source: NAmADA4.tmp.5.dr Static PE information: section name: .crt1
Source: NAmADA4.tmp.5.dr Static PE information: section name: qwTG
Source: NAmADA4.tmp.5.dr Static PE information: section name: .lqen
Source: NAmADA4.tmp.5.dr Static PE information: section name: .vqb
Source: NAmADA4.tmp.5.dr Static PE information: section name: .gjd
Source: NAmADA4.tmp.5.dr Static PE information: section name: .wqhqlp
Source: NAmADA4.tmp.5.dr Static PE information: section name: .jriz
Source: NAmADA4.tmp.5.dr Static PE information: section name: .ebkl
Source: NAmADA4.tmp.5.dr Static PE information: section name: .aoj
Source: NAmADA4.tmp.5.dr Static PE information: section name: .ncm
Source: NAmADA4.tmp.5.dr Static PE information: section name: .ksjw
Source: wermgr.exe.17.dr Static PE information: section name: .imrsiv
Source: wermgr.exe.17.dr Static PE information: section name: .didat
Source: MDMAppInstaller.exe.26.dr Static PE information: section name: .didat
Source: initial sample Static PE information: section where entry point is pointing to: .crt1
Source: x64.dll Static PE information: real checksum: 0xb3260629 should be: 0x104747
Source: KHNE9A4.tmp.5.dr Static PE information: real checksum: 0xb3260629 should be: 0x104cd2
Source: NAmADA4.tmp.5.dr Static PE information: real checksum: 0xb3260629 should be: 0x1102ae
Source: wermgr.exe.17.dr Static PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907

Persistence and Installation Behavior

barindex
Source: unknown Executable created and started: C:\Windows\system32\CCAL\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\CCAL\WTSAPI32.dll (copy) Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\R3POs\wer.dll (copy) Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\CCAL\MDMAppInstaller.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\CCAL\WTSAPI32.dll (copy) Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\CCAL\MDMAppInstaller.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4387BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF7E4387CE0h 24_2_00007FF7E4387BC4
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4387BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF7E4387CE0h 28_2_00007FF7E4387BC4
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe API coverage: 0.7 %
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe API coverage: 0.7 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003EB14 GetSystemInfo, 1_2_000000014003EB14
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140049724 FindFirstFileExW, 1_2_0000000140049724
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 24_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 24_2_00007FF7E438BE54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 28_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 28_2_00007FF7E438BE54
Source: explorer.exe, 00000005.00000000.425051454.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.426024313.00000000081C7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAY
Source: explorer.exe, 00000005.00000000.472787622.0000000006915000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.443698787.00000000081C6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAs
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000005.00000000.461519524.00000000081C6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAs
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4382F54 HeapSetInformation,IsDebuggerPresent,Sleep,DebugBreak,EventRegister,EventSetInformation,EtwRegisterTraceGuidsW,GetModuleFileNameW,GetCommandLineW,CommandLineToArgvW,GetLastError,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,WerpCloseStore,wcscmp,WerStorePurge,wcscmp,memset,memset,memset,memset,memset,memset,memset,memset,_wtoi,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wcsicmp,wcscmp,WerpOpenMachineQueue,WerpCloseStore,wcscmp,wcscmp,_wtoi64,_wtoi,wcscmp,RtlPublishWnfStateData,RtlNtStatusToDosError,RtlQueryWnfStateData,WerpCleanWer,wcscmp,wcscmp,_wtoi,wcscmp,wcscmp,WerpCleanWer,LocalFree,EtwUnregisterTraceGuids,EventUnregister, 24_2_00007FF7E4382F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438F158 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 24_2_00007FF7E438F158
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140040370 LdrLoadDll, 1_2_0000000140040370
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4393140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF7E4393140
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4392B00 SetUnhandledExceptionFilter, 24_2_00007FF7E4392B00
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4393140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF7E4393140
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 28_2_00007FF7E4392B00 SetUnhandledExceptionFilter, 28_2_00007FF7E4392B00
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5253DF0 SetUnhandledExceptionFilter, 31_2_00007FF6C5253DF0
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C5253BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF6C5253BA4

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: KHNE9A4.tmp.5.dr Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA7389EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA7389E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA71652A20 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Memory protected: unknown base: 7FFA7389EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Memory protected: unknown base: 7FFA7389E000 protect: page execute read Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Memory protected: unknown base: 7FFA71652A20 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E438AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle, 24_2_00007FF7E438AE50
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4388B70 AllocateAndInitializeSid,GetLastError,CheckTokenMembership,GetLastError,FreeSid, 24_2_00007FF7E4388B70
Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.460936283.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.457188070.0000000006100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.468464420.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.417586266.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.417586266.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe Code function: 24_2_00007FF7E4387BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey, 24_2_00007FF7E4387BC4
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe Code function: 31_2_00007FF6C524F10C LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetLastError,LocalFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,??3@YAXPEAX@Z, 31_2_00007FF6C524F10C
No contacted IP infos