Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x64.dll

Overview

General Information

Sample Name:x64.dll
Analysis ID:608207
MD5:66ac9a127ebb19f915987c31cf67d8d3
SHA1:b90e008f65d129cd9ade9aa24a9e046d727ff3f6
SHA256:94c0cedd61450d24b1195538edcd623b734749553680a42b5b64bc6194c2126a
Tags:64exe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7108 cmdline: loaddll64.exe "C:\Users\user\Desktop\x64.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7144 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7164 cmdline: rundll32.exe "C:\Users\user\Desktop\x64.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7152 cmdline: rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wermgr.exe (PID: 4784 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • cmd.exe (PID: 7136 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 2928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wermgr.exe (PID: 4176 cmdline: "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" MD5: FF214585BF10206E21EA8EBA202FACFD)
        • MDMAppInstaller.exe (PID: 2812 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • cmd.exe (PID: 5144 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wermgr.exe (PID: 5388 cmdline: "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" MD5: FF214585BF10206E21EA8EBA202FACFD)
        • schtasks.exe (PID: 4452 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wermgr.exe (PID: 4164 cmdline: "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" MD5: FF214585BF10206E21EA8EBA202FACFD)
        • schtasks.exe (PID: 5080 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5500 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 3464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5744 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7092 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6344 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 384 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5228 cmdline: schtasks.exe /Query /TN "Jvadjthzpd" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5980 cmdline: rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5888 cmdline: rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)
  • MDMAppInstaller.exe (PID: 5232 cmdline: C:\Windows\system32\CCAL\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000002.611146050.0000000140001000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000006.00000002.421971716.0000000140001000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001F.00000002.604615787.0000000140001000.00000020.00000001.01000000.0000000E.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000001.00000002.435584389.0000000140001000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000018.00000002.622884365.0000000140001000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              31.2.MDMAppInstaller.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                4.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  33.2.wermgr.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    6.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\x64.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\x64.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7144, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\x64.dll",#1, ProcessId: 7164, ProcessName: rundll32.exe
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 684, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Wraljbotdtpzzk
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 7136, TargetFilename: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 2928, ProcessName: conhost.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: x64.dllVirustotal: Detection: 47%Perma Link
                      Source: x64.dllMetadefender: Detection: 37%Perma Link
                      Source: x64.dllReversingLabs: Detection: 78%
                      Antivirus / Scanner detection for submitted sample
                      Source: x64.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\NAmADA4.tmpAvira: detection malicious, Label: HEUR/AGEN.1207422
                      Source: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmpAvira: detection malicious, Label: HEUR/AGEN.1207422
                      Machine Learning detection for sample
                      Source: x64.dllJoe Sandbox ML: detected
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C524E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,31_2_00007FF6C524E64C
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C524E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,31_2_00007FF6C524E934
                      Source: x64.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: mdmappinstaller.pdbGCTL source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
                      Source: Binary string: WerMgr.pdb source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
                      Source: Binary string: sgI.pdb source: x64.dll, NAmADA4.tmp.5.dr, KHNE9A4.tmp.5.dr
                      Source: Binary string: WerMgr.pdbGCTL source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
                      Source: Binary string: mdmappinstaller.pdb source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140049724 FindFirstFileExW,1_2_0000000140049724
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,24_2_00007FF7E4391BA0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,24_2_00007FF7E438BE54
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,28_2_00007FF7E4391BA0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,28_2_00007FF7E438BE54

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 3.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MDMAppInstaller.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll64.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.wermgr.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000002.611146050.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.421971716.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.604615787.0000000140001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.435584389.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.622884365.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.595393684.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.415891174.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508980143.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.429395051.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\system32\CCALJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005284C1_2_000000014005284C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140048A4C1_2_0000000140048A4C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400403701_2_0000000140040370
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400343E81_2_00000001400343E8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140026C741_2_0000000140026C74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004F4D01_2_000000014004F4D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140049CE81_2_0000000140049CE8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004357C1_2_000000014004357C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003DEEC1_2_000000014003DEEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400367781_2_0000000140036778
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400220041_2_0000000140022004
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400600141_2_0000000140060014
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400240281_2_0000000140024028
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002782C1_2_000000014002782C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002E0301_2_000000014002E030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005582B1_2_000000014005582B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400340441_2_0000000140034044
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000F8481_2_000000014000F848
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003D8781_2_000000014003D878
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400200941_2_0000000140020094
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002F8A41_2_000000014002F8A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400280AC1_2_00000001400280AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004F0AC1_2_000000014004F0AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400410B41_2_00000001400410B4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400150E41_2_00000001400150E4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400661001_2_0000000140066100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400251001_2_0000000140025100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004D9141_2_000000014004D914
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400331241_2_0000000140033124
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400321281_2_0000000140032128
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400259301_2_0000000140025930
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400059501_2_0000000140005950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004E9541_2_000000014004E954
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400011581_2_0000000140001158
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003796C1_2_000000014003796C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400499801_2_0000000140049980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400399901_2_0000000140039990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002F1981_2_000000014002F198
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400389A41_2_00000001400389A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400099AC1_2_00000001400099AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400659F01_2_00000001400659F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EA1C1_2_000000014002EA1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140055A4D1_2_0000000140055A4D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005A24C1_2_000000014005A24C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001B2501_2_000000014001B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140001A781_2_0000000140001A78
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400072841_2_0000000140007284
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400612831_2_0000000140061283
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140061A901_2_0000000140061A90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400642A01_2_00000001400642A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002DAA41_2_000000014002DAA4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140043AC01_2_0000000140043AC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140019AC41_2_0000000140019AC4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400512E01_2_00000001400512E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400162E01_2_00000001400162E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002BAEC1_2_000000014002BAEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140006AEC1_2_0000000140006AEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400633241_2_0000000140063324
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140013B641_2_0000000140013B64
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400553641_2_0000000140055364
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400193781_2_0000000140019378
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140060B8C1_2_0000000140060B8C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001A3941_2_000000014001A394
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140008B941_2_0000000140008B94
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004BBBC1_2_000000014004BBBC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140021BD81_2_0000000140021BD8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400243E01_2_00000001400243E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002B3F31_2_000000014002B3F3
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140004C0C1_2_0000000140004C0C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002B4291_2_000000014002B429
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400124741_2_0000000140012474
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000AC741_2_000000014000AC74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400384781_2_0000000140038478
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004FC741_2_000000014004FC74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002747C1_2_000000014002747C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002A4A41_2_000000014002A4A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001B4AC1_2_000000014001B4AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004A4B01_2_000000014004A4B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140063CB41_2_0000000140063CB4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002F4B81_2_000000014002F4B8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140003CC41_2_0000000140003CC4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000ECD01_2_000000014000ECD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140017CD41_2_0000000140017CD4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140044CD81_2_0000000140044CD8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004ECF81_2_000000014004ECF8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400425041_2_0000000140042504
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400265341_2_0000000140026534
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002AD381_2_000000014002AD38
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022D501_2_0000000140022D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400295501_2_0000000140029550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140012D8C1_2_0000000140012D8C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140051D901_2_0000000140051D90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140006D941_2_0000000140006D94
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400515A01_2_00000001400515A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400285AC1_2_00000001400285AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140031DCC1_2_0000000140031DCC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400365D01_2_00000001400365D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400205D81_2_00000001400205D8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140011DE41_2_0000000140011DE4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004D5EC1_2_000000014004D5EC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003A60C1_2_000000014003A60C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140021E1C1_2_0000000140021E1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140023E1C1_2_0000000140023E1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004E6281_2_000000014004E628
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004CE2C1_2_000000014004CE2C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400186381_2_0000000140018638
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140004E381_2_0000000140004E38
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400146441_2_0000000140014644
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EE481_2_000000014002EE48
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004A6601_2_000000014004A660
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400536701_2_0000000140053670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003AE701_2_000000014003AE70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400316701_2_0000000140031670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002D6941_2_000000014002D694
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140036E981_2_0000000140036E98
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000D69C1_2_000000014000D69C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140050EA81_2_0000000140050EA8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140053EC01_2_0000000140053EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001BEC81_2_000000014001BEC8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400466C41_2_00000001400466C4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004EF0C1_2_000000014004EF0C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140017F401_2_0000000140017F40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001CF401_2_000000014001CF40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140041F3C1_2_0000000140041F3C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400327501_2_0000000140032750
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000578C1_2_000000014000578C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400137A01_2_00000001400137A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400557A31_2_00000001400557A3
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001C7CC1_2_000000014001C7CC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400027DC1_2_00000001400027DC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140030FE01_2_0000000140030FE0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E438E36824_2_00007FF7E438E368
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4382F5424_2_00007FF7E4382F54
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E438CFF024_2_00007FF7E438CFF0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4390A5824_2_00007FF7E4390A58
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E439243824_2_00007FF7E4392438
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E438684824_2_00007FF7E4386848
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4387EFC24_2_00007FF7E4387EFC
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E438E36828_2_00007FF7E438E368
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4382F5428_2_00007FF7E4382F54
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E438CFF028_2_00007FF7E438CFF0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4390A5828_2_00007FF7E4390A58
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E439243828_2_00007FF7E4392438
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E438684828_2_00007FF7E4386848
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4387EFC28_2_00007FF7E4387EFC
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C524464831_2_00007FF6C5244648
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C52519D431_2_00007FF6C52519D4
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C524963031_2_00007FF6C5249630
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C52549FF31_2_00007FF6C52549FF
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C524E93431_2_00007FF6C524E934
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C5243FAC31_2_00007FF6C5243FAC
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C5246BDC31_2_00007FF6C5246BDC
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: String function: 00007FF7E4385C24 appears 44 times
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: String function: 00007FF7E43845A8 appears 54 times
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: String function: 00007FF6C5246124 appears 108 times
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: String function: 00007FF6C5245F34 appears 75 times
                      Source: C:\Windows\System32\CCAL\MDMAppInstaller.exeCode function: 31_2_00007FF6C5249630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,31_2_00007FF6C5249630
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005284C NtQuerySystemInformation,1_2_000000014005284C
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,24_2_00007FF7E438E368
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4391F54 NtQueryLicenseValue,24_2_00007FF7E4391F54
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,24_2_00007FF7E4388404
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,24_2_00007FF7E4392438
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,24_2_00007FF7E43882EC
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,28_2_00007FF7E438E368
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4391F54 NtQueryLicenseValue,28_2_00007FF7E4391F54
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,28_2_00007FF7E4388404
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,28_2_00007FF7E4392438
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 28_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,28_2_00007FF7E43882EC
                      Source: wermgr.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wermgr.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wermgr.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: sfc_os.dllJump to behavior
                      Source: x64.dllStatic PE information: Number of sections : 17 > 10
                      Source: KHNE9A4.tmp.5.drStatic PE information: Number of sections : 18 > 10
                      Source: NAmADA4.tmp.5.drStatic PE information: Number of sections : 18 > 10
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
                      Source: x64.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: KHNE9A4.tmp.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: NAmADA4.tmp.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: x64.dllVirustotal: Detection: 47%
                      Source: x64.dllMetadefender: Detection: 37%
                      Source: x64.dllReversingLabs: Detection: 78%
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\x64.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\CCAL\MDMAppInstaller.exe C:\Windows\system32\CCAL\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSessionJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSessionJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserTokenJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmdJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmdJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highestJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"Jump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\NAmADA4.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@52/10@0/0
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4388F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,24_2_00007FF7E4388F2C
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,24_2_00007FF7E438DE98
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,28_2_00007FF7E438DE98
                      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeCode function: 24_2_00007FF7E4381A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle,24_2_00007FF7E4381A70
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{41059e93-2e1b-cd9f-8d6b-afe9f069cb55}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{b9eeafb6-578e-5d2c-64c5-1ccbb1866e8a}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: x64.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: x64.dllStatic file information: File size 1060864 > 1048576
                      Source: x64.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_