Windows Analysis Report
x64.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005284C	1_2_000000014005284C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048A4C	1_2_0000000140048A4C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140040370	1_2_0000000140040370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400343E8	1_2_00000001400343E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026C74	1_2_0000000140026C74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F4D0	1_2_000000014004F4D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140049CE8	1_2_0000000140049CE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004357C	1_2_000000014004357C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003DEEC	1_2_000000014003DEEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036778	1_2_0000000140036778
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022004	1_2_0000000140022004
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060014	1_2_0000000140060014
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024028	1_2_0000000140024028
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002782C	1_2_000000014002782C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E030	1_2_000000014002E030
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005582B	1_2_000000014005582B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034044	1_2_0000000140034044
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000F848	1_2_000000014000F848
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003D878	1_2_000000014003D878
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140020094	1_2_0000000140020094
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F8A4	1_2_000000014002F8A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400280AC	1_2_00000001400280AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F0AC	1_2_000000014004F0AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400410B4	1_2_00000001400410B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400150E4	1_2_00000001400150E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066100	1_2_0000000140066100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025100	1_2_0000000140025100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004D914	1_2_000000014004D914
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033124	1_2_0000000140033124
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032128	1_2_0000000140032128
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025930	1_2_0000000140025930
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005950	1_2_0000000140005950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004E954	1_2_000000014004E954
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001158	1_2_0000000140001158
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003796C	1_2_000000014003796C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140049980	1_2_0000000140049980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039990	1_2_0000000140039990
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F198	1_2_000000014002F198
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A4	1_2_00000001400389A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400099AC	1_2_00000001400099AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400659F0	1_2_00000001400659F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA1C	1_2_000000014002EA1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140055A4D	1_2_0000000140055A4D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005A24C	1_2_000000014005A24C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001B250	1_2_000000014001B250
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001A78	1_2_0000000140001A78
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007284	1_2_0000000140007284
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140061283	1_2_0000000140061283
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140061A90	1_2_0000000140061A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400642A0	1_2_00000001400642A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DAA4	1_2_000000014002DAA4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140043AC0	1_2_0000000140043AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019AC4	1_2_0000000140019AC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400512E0	1_2_00000001400512E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400162E0	1_2_00000001400162E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002BAEC	1_2_000000014002BAEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006AEC	1_2_0000000140006AEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063324	1_2_0000000140063324
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140013B64	1_2_0000000140013B64
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140055364	1_2_0000000140055364
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019378	1_2_0000000140019378
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060B8C	1_2_0000000140060B8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001A394	1_2_000000014001A394
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140008B94	1_2_0000000140008B94
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BBBC	1_2_000000014004BBBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140021BD8	1_2_0000000140021BD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400243E0	1_2_00000001400243E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B3F3	1_2_000000014002B3F3
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140004C0C	1_2_0000000140004C0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B429	1_2_000000014002B429
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140012474	1_2_0000000140012474
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000AC74	1_2_000000014000AC74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140038478	1_2_0000000140038478
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004FC74	1_2_000000014004FC74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002747C	1_2_000000014002747C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A4A4	1_2_000000014002A4A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001B4AC	1_2_000000014001B4AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004A4B0	1_2_000000014004A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063CB4	1_2_0000000140063CB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F4B8	1_2_000000014002F4B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140003CC4	1_2_0000000140003CC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000ECD0	1_2_000000014000ECD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017CD4	1_2_0000000140017CD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140044CD8	1_2_0000000140044CD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004ECF8	1_2_000000014004ECF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140042504	1_2_0000000140042504
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026534	1_2_0000000140026534
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AD38	1_2_000000014002AD38
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D50	1_2_0000000140022D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029550	1_2_0000000140029550
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140012D8C	1_2_0000000140012D8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140051D90	1_2_0000000140051D90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006D94	1_2_0000000140006D94
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400515A0	1_2_00000001400515A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400285AC	1_2_00000001400285AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DCC	1_2_0000000140031DCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400365D0	1_2_00000001400365D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205D8	1_2_00000001400205D8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140011DE4	1_2_0000000140011DE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004D5EC	1_2_000000014004D5EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A60C	1_2_000000014003A60C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140021E1C	1_2_0000000140021E1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023E1C	1_2_0000000140023E1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004E628	1_2_000000014004E628
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004CE2C	1_2_000000014004CE2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018638	1_2_0000000140018638
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140004E38	1_2_0000000140004E38
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140014644	1_2_0000000140014644
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EE48	1_2_000000014002EE48
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004A660	1_2_000000014004A660
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053670	1_2_0000000140053670
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AE70	1_2_000000014003AE70
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031670	1_2_0000000140031670
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D694	1_2_000000014002D694
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036E98	1_2_0000000140036E98
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000D69C	1_2_000000014000D69C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140050EA8	1_2_0000000140050EA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053EC0	1_2_0000000140053EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001BEC8	1_2_000000014001BEC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400466C4	1_2_00000001400466C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EF0C	1_2_000000014004EF0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017F40	1_2_0000000140017F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001CF40	1_2_000000014001CF40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140041F3C	1_2_0000000140041F3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032750	1_2_0000000140032750
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000578C	1_2_000000014000578C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400137A0	1_2_00000001400137A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400557A3	1_2_00000001400557A3
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001C7CC	1_2_000000014001C7CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400027DC	1_2_00000001400027DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030FE0	1_2_0000000140030FE0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E438E368	24_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4382F54	24_2_00007FF7E4382F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E438CFF0	24_2_00007FF7E438CFF0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4390A58	24_2_00007FF7E4390A58
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4392438	24_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4386848	24_2_00007FF7E4386848
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4387EFC	24_2_00007FF7E4387EFC
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E438E368	28_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4382F54	28_2_00007FF7E4382F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E438CFF0	28_2_00007FF7E438CFF0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4390A58	28_2_00007FF7E4390A58
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4392438	28_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4386848	28_2_00007FF7E4386848
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4387EFC	28_2_00007FF7E4387EFC
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5244648	31_2_00007FF6C5244648
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C52519D4	31_2_00007FF6C52519D4
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5249630	31_2_00007FF6C5249630
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C52549FF	31_2_00007FF6C52549FF
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C524E934	31_2_00007FF6C524E934
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5243FAC	31_2_00007FF6C5243FAC
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5246BDC	31_2_00007FF6C5246BDC

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: String function: 00007FF7E4385C24 appears 44 times
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: String function: 00007FF7E43845A8 appears 54 times
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: String function: 00007FF6C5246124 appears 108 times
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: String function: 00007FF6C5245F34 appears 75 times

Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe

Code function: 31_2_00007FF6C5249630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,

31_2_00007FF6C5249630

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005284C NtQuerySystemInformation,	1_2_000000014005284C
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,	24_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4391F54 NtQueryLicenseValue,	24_2_00007FF7E4391F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	24_2_00007FF7E4388404
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,	24_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	24_2_00007FF7E43882EC
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E438E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,	28_2_00007FF7E438E368
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4391F54 NtQueryLicenseValue,	28_2_00007FF7E4391F54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4388404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	28_2_00007FF7E4388404
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4392438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,	28_2_00007FF7E4392438
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E43882EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	28_2_00007FF7E43882EC

Source: wermgr.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: x64.dll	Static PE information: Number of sections : 17 > 10
Source: KHNE9A4.tmp.5.dr	Static PE information: Number of sections : 18 > 10
Source: NAmADA4.tmp.5.dr	Static PE information: Number of sections : 18 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538

Source: x64.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KHNE9A4.tmp.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NAmADA4.tmp.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: x64.dll	Virustotal: Detection: 47%
Source: x64.dll	Metadefender: Detection: 37%
Source: x64.dll	ReversingLabs: Detection: 78%

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\x64.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\CCAL\MDMAppInstaller.exe C:\Windows\system32\CCAL\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe "C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Query /TN "Jvadjthzpd"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp

Source: classification engine

Classification label: mal100.troj.evad.winDLL@52/10@0/0

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E4388F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,

24_2_00007FF7E4388F2C

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,		24_2_00007FF7E438DE98
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,		28_2_00007FF7E438DE98

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E4381A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle,

24_2_00007FF7E4381A70

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{41059e93-2e1b-cd9f-8d6b-afe9f069cb55}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{b9eeafb6-578e-5d2c-64c5-1ccbb1866e8a}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: x64.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: x64.dll

Static file information: File size 1060864 > 1048576

Source: x64.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: mdmappinstaller.pdbGCTL source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr
Source:	Binary string: WerMgr.pdb source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source:	Binary string: sgI.pdb source: x64.dll, NAmADA4.tmp.5.dr, KHNE9A4.tmp.5.dr
Source:	Binary string: WerMgr.pdbGCTL source: cmd.exe, 00000011.00000003.547294887.0000021599D37000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.623554275.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000018.00000000.571165986.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000000.590604574.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 0000001C.00000002.596149680.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000000.608169361.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe, 00000021.00000002.612132180.00007FF7E4395000.00000002.00000001.01000000.0000000B.sdmp, wermgr.exe.17.dr
Source:	Binary string: mdmappinstaller.pdb source: cmd.exe, 0000001A.00000003.586281277.000001E89C487000.00000004.00000020.00020000.00000000.sdmp, MDMAppInstaller.exe, 0000001F.00000002.605506931.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe, 0000001F.00000000.596119323.00007FF6C5255000.00000002.00000001.01000000.0000000D.sdmp, MDMAppInstaller.exe.26.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000022245A33055 push rbx; retf	1_2_0000022245A3305A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001F1DA323055 push rbx; retf	3_2_000001F1DA32305A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000022341CE3055 push rbx; retf	4_2_0000022341CE305A
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000027E57583055 push rbx; retf	6_2_0000027E5758305A
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000025311A23055 push rbx; retf	8_2_0000025311A2305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_000001B48FD73055 push rbx; retf	24_2_000001B48FD7305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_000001A589C43055 push rbx; retf	28_2_000001A589C4305A
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_0000019891253055 push rbx; retf	31_2_000001989125305A
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 33_2_00000149ED6C3055 push rbx; retf	33_2_00000149ED6C305A

Source: x64.dll	Static PE information: section name: .crt1
Source: x64.dll	Static PE information: section name: qwTG
Source: x64.dll	Static PE information: section name: .lqen
Source: x64.dll	Static PE information: section name: .vqb
Source: x64.dll	Static PE information: section name: .gjd
Source: x64.dll	Static PE information: section name: .wqhqlp
Source: x64.dll	Static PE information: section name: .jriz
Source: x64.dll	Static PE information: section name: .ebkl
Source: x64.dll	Static PE information: section name: .aoj
Source: x64.dll	Static PE information: section name: .ncm
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .crt1
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: qwTG
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .lqen
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .vqb
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .gjd
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .wqhqlp
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .jriz
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .ebkl
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .aoj
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .ncm
Source: KHNE9A4.tmp.5.dr	Static PE information: section name: .gqytqb
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .crt1
Source: NAmADA4.tmp.5.dr	Static PE information: section name: qwTG
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .lqen
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .vqb
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .gjd
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .wqhqlp
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .jriz
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .ebkl
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .aoj
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .ncm
Source: NAmADA4.tmp.5.dr	Static PE information: section name: .ksjw
Source: wermgr.exe.17.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe.17.dr	Static PE information: section name: .didat
Source: MDMAppInstaller.exe.26.dr	Static PE information: section name: .didat

Source: initial sample

Static PE information: section where entry point is pointing to: .crt1

Source: x64.dll	Static PE information: real checksum: 0xb3260629 should be: 0x104747
Source: KHNE9A4.tmp.5.dr	Static PE information: real checksum: 0xb3260629 should be: 0x104cd2
Source: NAmADA4.tmp.5.dr	Static PE information: real checksum: 0xb3260629 should be: 0x1102ae

Source: wermgr.exe.17.dr

Static PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907

Persistence and Installation Behavior

Source: unknown

Executable created and started: C:\Windows\system32\CCAL\MDMAppInstaller.exe

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\system32\CCAL\WTSAPI32.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\R3POs\wer.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Jump to dropped file

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\system32\CCAL\WTSAPI32.dll (copy)			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\System32\CCAL\MDMAppInstaller.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest

Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk			Jump to behavior
Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NAmADA4.tmp			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4387BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF7E4387CE0h		24_2_00007FF7E4387BC4
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4387BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF7E4387CE0h		28_2_00007FF7E4387BC4

Source: C:\Windows\System32\loaddll64.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-60861

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	API coverage: 0.7 %
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	API coverage: 0.7 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Benign windows process drops PE files

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014003EB14 GetSystemInfo,

1_2_000000014003EB14

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140049724 FindFirstFileExW,	1_2_0000000140049724
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	24_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	24_2_00007FF7E438BE54
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4391BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	28_2_00007FF7E4391BA0
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E438BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	28_2_00007FF7E438BE54

Source: explorer.exe, 00000005.00000000.425051454.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.426024313.00000000081C7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAY
Source: explorer.exe, 00000005.00000000.472787622.0000000006915000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.443698787.00000000081C6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAs
Source: explorer.exe, 00000005.00000000.441628996.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.425184192.0000000007F91000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000005.00000000.461519524.00000000081C6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAs

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E4382F54 HeapSetInformation,IsDebuggerPresent,Sleep,DebugBreak,EventRegister,EventSetInformation,EtwRegisterTraceGuidsW,GetModuleFileNameW,GetCommandLineW,CommandLineToArgvW,GetLastError,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,WerpCloseStore,wcscmp,WerStorePurge,wcscmp,memset,memset,memset,memset,memset,memset,memset,memset,_wtoi,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wcsicmp,wcscmp,WerpOpenMachineQueue,WerpCloseStore,wcscmp,wcscmp,_wtoi64,_wtoi,wcscmp,RtlPublishWnfStateData,RtlNtStatusToDosError,RtlQueryWnfStateData,WerpCleanWer,wcscmp,wcscmp,_wtoi,wcscmp,wcscmp,WerpCleanWer,LocalFree,EtwUnregisterTraceGuids,EventUnregister,

24_2_00007FF7E4382F54

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E438F158 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

24_2_00007FF7E438F158

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140040370 LdrLoadDll,

1_2_0000000140040370

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4393140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7E4393140
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 24_2_00007FF7E4392B00 SetUnhandledExceptionFilter,	24_2_00007FF7E4392B00
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4393140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF7E4393140
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Code function: 28_2_00007FF7E4392B00 SetUnhandledExceptionFilter,	28_2_00007FF7E4392B00
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5253DF0 SetUnhandledExceptionFilter,	31_2_00007FF6C5253DF0
Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe	Code function: 31_2_00007FF6C5253BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF6C5253BA4

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

File created: KHNE9A4.tmp.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA7389EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA7389E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA71652A20 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Memory protected: unknown base: 7FFA7389EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Memory protected: unknown base: 7FFA7389E000 protect: page execute read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Memory protected: unknown base: 7FFA71652A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe	Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h			Jump to behavior
Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x64.dll",#1

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E438AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle,

24_2_00007FF7E438AE50

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E4388B70 AllocateAndInitializeSid,GetLastError,CheckTokenMembership,GetLastError,FreeSid,

24_2_00007FF7E4388B70

Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.460936283.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.457188070.0000000006100000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.468464420.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.417586266.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000005.00000000.432823603.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.453260622.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.417586266.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Code function: 24_2_00007FF7E4387BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey,

24_2_00007FF7E4387BC4

Source: C:\Windows\System32\CCAL\MDMAppInstaller.exe

Code function: 31_2_00007FF6C524F10C LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetLastError,LocalFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,??3@YAXPEAX@Z,

31_2_00007FF6C524F10C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	11 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Access Token Manipulation	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Scheduled Task/Job	1 Windows Service	1 Timestomp	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	1 Registry Run Keys / Startup Folder	312 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 Rootkit	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	1 Registry Run Keys / Startup Folder	121 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	312 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x64.dll	47%	Virustotal		Browse
x64.dll	37%	Metadefender		Browse
x64.dll	79%	ReversingLabs	Win64.Infostealer.Dridex
x64.dll	100%	Avira	HEUR/AGEN.1207422
x64.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\NAmADA4.tmp	100%	Avira	HEUR/AGEN.1207422
C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp	100%	Avira	HEUR/AGEN.1207422
C:\Users\user\AppData\Local\Temp\NAmADA4.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	0%	ReversingLabs
C:\Windows\System32\CCAL\MDMAppInstaller.exe	0%	Metadefender		Browse
C:\Windows\System32\CCAL\MDMAppInstaller.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
33.2.wermgr.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
31.2.MDMAppInstaller.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
6.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
28.2.wermgr.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
8.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
24.2.wermgr.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	608207
Start date and time: 12/04/202221:44:07	2022-04-12 21:44:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	x64.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@52/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 40.1% (good quality ratio 30.1%) Quality average: 56.9% Quality standard deviation: 39.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 186
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, kv801.prod.do.dsp.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:46:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
21:46:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wraljbotdtpzzk C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
21:46:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wraljbotdtpzzk.lnk
21:46:37	Task Scheduler	Run new task: Jvadjthzpd path: C:\Windows\system32\CCAL\MDMAppInstaller.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\R3POs\wermgr.exe	qNKCAaD6MH.dll	Get hash	malicious	Browse
	CsUUaEi57B.dll	Get hash	malicious	Browse
	GJSyxyXpqb.dll	Get hash	malicious	Browse
	YCmvsk3Lmf.dll	Get hash	malicious	Browse
	x95V65Z00v.dll	Get hash	malicious	Browse
	GTSszLxygJ.dll	Get hash	malicious	Browse
	2k0c2Cohem.dll	Get hash	malicious	Browse
	U4zqCpLYS2.dll	Get hash	malicious	Browse
	b0kpce0t8F.dll	Get hash	malicious	Browse
	QAUAey7NkL.dll	Get hash	malicious	Browse
	Y4Gd7K2a8m.dll	Get hash	malicious	Browse
	yPeVDkBY3n.dll	Get hash	malicious	Browse
	td1i2JJWLZ.dll	Get hash	malicious	Browse
	TDhTkVMvVd.dll	Get hash	malicious	Browse
	ShmrlNrhab.dll	Get hash	malicious	Browse
	knYgnOrOXk.dll	Get hash	malicious	Browse
	Dk62bv8zDb.dll	Get hash	malicious	Browse
	UVkobIdWdL.dll	Get hash	malicious	Browse
	EeshGc2wcs.dll	Get hash	malicious	Browse
	3XSR1oCsva.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Cjaq.cmd

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	229
Entropy (8bit):	4.869685609305143
Encrypted:	false
SSDEEP:	6:8u5P9aZ51Me/N9aZ51d923f9X9aZ5IIpUQ:8u5sH1MueH1qGHnUQ
MD5:	03B3EA10D50CE5BB23379A28EA860902
SHA1:	8DC17B421435CA1D98D53F1586229D175F448F48
SHA-256:	0A3C5484A2F6190CFA103F7C4EB106C7F6C7E404B92780C3C0021E8EE9C5BEB5
SHA-512:	D60A16A86D863F97F2867E29AFA05887631D0E9ADAF2DF77E3B21B88E7EE36DC5B488ECCBC8A2F7D8D812BD8CB4B3188094A2B5E92148D781339152D34561448
Malicious:	false
Preview:	md C:\Users\user\AppData\Roaming\R3POs..copy C:\Windows\system32\wermgr.exe C:\Users\user\AppData\Roaming\R3POs..move C:\Users\user\AppData\Local\Temp\NAmADA4.tmp C:\Users\user\AppData\Roaming\R3POs\wer.dll..del %0 & exit

C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1064960
Entropy (8bit):	5.552014205230675
Encrypted:	false
SSDEEP:	12288:BabbKACcbDWwVexYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:MaXcfWwgmKrhncQYlez5nGa84djgol
MD5:	0DDBAA45951517107B9702E6CCC87906
SHA1:	370891865959F967B885A1EB9BFB459D73DF6105
SHA-256:	6C7F57824FA935D6BAB9ED7127A484F05433BB12FB6A5B9A6581B1173C5A237A
SHA-512:	421D4DCE4D4A521AA3CEC731D9FE1BE95A2510BB29B4493859EFEF6AF8816A4C274D261A349D23113A448A35F8AEBE1D3786788840DDB0D4DC5D2C7338F4683B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d....\.T.........." .....f.....................@.............................@......).&...`..........................................0......h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Local\Temp\NAmADA4.tmp

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	5.550490003883871
Encrypted:	false
SSDEEP:	12288:UabbKACcbDWwVexYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:HaXcfWwgmKrhncQYlez5nGa84djgol
MD5:	6CB715AEF46D67EA68C59050D21B4522
SHA1:	F916645912DD962E8154073DF1AC4B707DFCC6D9
SHA-256:	EEE2DC41DA43B9601CB388825FC261C2FB0BBE60C7D3103574DE06CA694F01A1
SHA-512:	971829FD75C1917ED49CCFFD9990D7E6E77850B232BB34461C0BAA65F9B1A97E297BD797379CB46080E76038704994AFA3817874959D0426FD67130E782624E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d....\.T.........." .....f.....................@.............................P......).&...`..........................................0..W...h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Local\Temp\tkcfGo.cmd

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	204
Entropy (8bit):	5.018347992860809
Encrypted:	false
SSDEEP:	6:8u5TAdXceTAJOXL4hAdd923f9bA8yTlJYxUQ:8u5MdXXXsudqFEVSxUQ
MD5:	60D9BF10F5BBC23ED46603A7E96335CD
SHA1:	56C387E5FBCBB2A4B8743C626155708018CC1015
SHA-256:	6CDF96C322D18F07F818C7BA846B1CEF9F907635A17733B59AFBFEB5589960E9
SHA-512:	2732D71724087D00EBB9EEAE5C4A7D3BA9D219E05768478F8676AAE5437B0670BF2272DCF53AF10F27C378C812E8BE34DF61793C477F5CA52B51A0326D5FC2AD
Malicious:	false
Preview:	md C:\Windows\system32\CCAL..copy C:\Windows\system32\MDMAppInstaller.exe C:\Windows\system32\CCAL..move C:\Users\user\AppData\Local\Temp\KHNE9A4.tmp C:\Windows\system32\CCAL\WTSAPI32.dll..del %0 & exit

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	1451
Entropy (8bit):	7.327678216261483
Encrypted:	false
SSDEEP:	24:nqXB8+xVUlTbLZi1ecX4i1509VRLg45UkBg7avUGK55c/bXwlzPrXRXmA:nq++rUlTRi1NB15ub09kBqe7wlzjXRXv
MD5:	FB027688D1AE95BC43EFEBD156406E36
SHA1:	440623C7FB1DA9860CA2A0543D10B4168C87E28E
SHA-256:	9DC137B94E67305A9989FFA97AEEB98831D6931F19ACD0B67207344F756AA01A
SHA-512:	051CBD81738899F933441D62B3D42C679680023B38B1F5D5441DC747F8A44F64F4BC3400F5341D1533D8164D2D703DB9819623D3C479B9F4EC7543DC1AEA4CDB
Malicious:	false
Preview:	........................................user.....................RSA1.................7....{.p..=........qp.wi.......".L.gG.=.t!.s..e.......,...e....}.i._.M<......\....<...EU$.m.....j..1K........ 4ukn....K.....................z..O...........Y.A....W......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ... ...n....b&.....Q..B...pcrlcQ............ ....)1.......,.x...>.t.....Hf/......>...'..`f......o....t.S....36...as3..'5........L..{..5dE...b....aq...v.5._L..!.x6.?7N.6<H...0..e<mc.\|%......s.bl..11.....Z=....A.[.n.UG{.....[._..M..A.J.,I..).b.-%.oJ<.....I.=...x.......k..P.<4..e`L.(.....n.0.......NN...l.C.z..l.Kny.....MnY.]p:%.b.4.....{N..f..{.X....0#..0...3..o.S3q5=M@...!..4........%.8*0\|M ..h.l......>..GM .a....,`.....,.J......%.c@.....u..Y..f...%...b....A0pz0.0...\&[.a#3.......)}...F...O..\......Mv....).....O.O,..Y...od].R.....j....$."..].dM...z.Lmd.."d..x...K0.eM.x."....r...Z.....q...o.D+...m.8H.&....?.Q.R+..K..t.x......=.+...<

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wraljbotdtpzzk.lnk

Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 13 03:46:15 2022, mtime=Wed Apr 13 03:46:15 2022, atime=Wed Apr 11 22:34:22 2018, length=209312, window=hide
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.131205962827585
Encrypted:	false
SSDEEP:	12:8y8++Q4CNjyjCoscwY//W4xvuLkcF6j6QKtFS7DYjABmHdRsx2fd1Ucm:8yIOkFsc3u4xQAkxAqJm
MD5:	C69B35724D08B9AA7E320619F47BC2AA
SHA1:	D9D1E55F9B2D691085F36220C28813D8D4D772ED
SHA-256:	863FB90F0016B1B2BCAD15CA9C075B4BFAC36B86283E996C834C1E87C16DF77A
SHA-512:	443F6844FC5BBFE4FB861DD1998BE002448804E6F625A9EC29D6C0AB05F221204D2E3739F22D6759DD6C5D8647D5461631B52C6558DCEF13FB1E328C62ECC377
Malicious:	false
Preview:	L..................F.... ....0Rh.N...0Rh.N.........1........................:..DG..Yr?.D..U..k0.&...&...........-...my..3...=.h.N......t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..T.%.....Y.....................R..A.p.p.D.a.t.a...B.V.1......T.%..Roaming.@.......NM..T.%.....Y....................s...R.o.a.m.i.n.g.....P.1......T.%..R3POs.<......T.%.T.%..........................f.I.R.3.P.O.s.....`.2..1...LL. .wermgr.exe..F......T.%.T.%................t..........X..w.e.r.m.g.r...e.x.e......._...............-.......^............q.......C:\Users\user\AppData\Roaming\R3POs\wermgr.exe........\.....\.....\.....\.....\.R.3.P.O.s.\.w.e.r.m.g.r...e.x.e.`.......X.......computer..!a..%.H.VZAj......s.........W...!a..%.H.VZAj......s.........W..E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\R3POs\wer.dll (copy)

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	5.550490003883871
Encrypted:	false
SSDEEP:	12288:UabbKACcbDWwVexYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:HaXcfWwgmKrhncQYlez5nGa84djgol
MD5:	6CB715AEF46D67EA68C59050D21B4522
SHA1:	F916645912DD962E8154073DF1AC4B707DFCC6D9
SHA-256:	EEE2DC41DA43B9601CB388825FC261C2FB0BBE60C7D3103574DE06CA694F01A1
SHA-512:	971829FD75C1917ED49CCFFD9990D7E6E77850B232BB34461C0BAA65F9B1A97E297BD797379CB46080E76038704994AFA3817874959D0426FD67130E782624E5
Malicious:	false
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d....\.T.........." .....f.....................@.............................P......).&...`..........................................0..W...h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Roaming\R3POs\wermgr.exe

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209312
Entropy (8bit):	6.796289498157116
Encrypted:	false
SSDEEP:	6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
MD5:	FF214585BF10206E21EA8EBA202FACFD
SHA1:	1ED4AE92D235497F62610078D51105C4634AFADE
SHA-256:	C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
SHA-512:	24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: qNKCAaD6MH.dll, Detection: malicious, Browse Filename: CsUUaEi57B.dll, Detection: malicious, Browse Filename: GJSyxyXpqb.dll, Detection: malicious, Browse Filename: YCmvsk3Lmf.dll, Detection: malicious, Browse Filename: x95V65Z00v.dll, Detection: malicious, Browse Filename: GTSszLxygJ.dll, Detection: malicious, Browse Filename: 2k0c2Cohem.dll, Detection: malicious, Browse Filename: U4zqCpLYS2.dll, Detection: malicious, Browse Filename: b0kpce0t8F.dll, Detection: malicious, Browse Filename: QAUAey7NkL.dll, Detection: malicious, Browse Filename: Y4Gd7K2a8m.dll, Detection: malicious, Browse Filename: yPeVDkBY3n.dll, Detection: malicious, Browse Filename: td1i2JJWLZ.dll, Detection: malicious, Browse Filename: TDhTkVMvVd.dll, Detection: malicious, Browse Filename: ShmrlNrhab.dll, Detection: malicious, Browse Filename: knYgnOrOXk.dll, Detection: malicious, Browse Filename: Dk62bv8zDb.dll, Detection: malicious, Browse Filename: UVkobIdWdL.dll, Detection: malicious, Browse Filename: EeshGc2wcs.dll, Detection: malicious, Browse Filename: 3XSR1oCsva.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................

C:\Windows\System32\CCAL\MDMAppInstaller.exe

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145920
Entropy (8bit):	5.742854541048038
Encrypted:	false
SSDEEP:	3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
MD5:	E2C777B6E3CE4C15C5657429A63787A3
SHA1:	DFFC902982B618201D0DC46B91F1565DC7D04377
SHA-256:	7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
SHA-512:	2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..Y..Y..Y.dNZ..Y.dN]..Y.dN\..Y.dNX.(Y..X..Y.dNP..Y.dN...Y.dN[..Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................

C:\Windows\system32\CCAL\WTSAPI32.dll (copy)

Process: explorer.exe, Module: ntdll.dll

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1064960
Entropy (8bit):	5.552014205230675
Encrypted:	false
SSDEEP:	12288:BabbKACcbDWwVexYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:MaXcfWwgmKrhncQYlez5nGa84djgol
MD5:	0DDBAA45951517107B9702E6CCC87906
SHA1:	370891865959F967B885A1EB9BFB459D73DF6105
SHA-256:	6C7F57824FA935D6BAB9ED7127A484F05433BB12FB6A5B9A6581B1173C5A237A
SHA-512:	421D4DCE4D4A521AA3CEC731D9FE1BE95A2510BB29B4493859EFEF6AF8816A4C274D261A349D23113A448A35F8AEBE1D3786788840DDB0D4DC5D2C7338F4683B
Malicious:	false
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d....\.T.........." .....f.....................@.............................@......).&...`..........................................0......h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	5.568391526693222
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	x64.dll
File size:	1060864
MD5:	66ac9a127ebb19f915987c31cf67d8d3
SHA1:	b90e008f65d129cd9ade9aa24a9e046d727ff3f6
SHA256:	94c0cedd61450d24b1195538edcd623b734749553680a42b5b64bc6194c2126a
SHA512:	ca0f1e93269456ab78e0ec00acc85310a30c7dfde9548b6898ba4694b1717ea2f3e09092431ffbf71431e8b9c7db04814b21fbef54f2a23f133c6a19f76717b8
SSDEEP:	12288:cabbKACcbDWwVexYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:faXcfWwgmKrhncQYlez5nGa84djgol
TLSH:	4D35CF4D492F1AC8D6A550F26B3387F6296EF4940420DEBD32B67025ED8DE7D8CC291B
File Content Preview:	MZ......................@.......................................x..j<..9<..9<..9?.t9I..9...8k..9S.49...9.ou9w..9...8M..9...82..9.7.9...91.I9u..9".:9...9'l590..9".=9/..9...8G..9R..8...9...8P..9S.39v..9?.u9i..9.7.9}..9...8...9".;9i..9..I9S..9Z.e9x..9?.w9...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x14002a5b0
Entrypoint Section:	.crt1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x54B45CFA [Mon Jan 12 23:47:06 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	25c7ac00c91884fd2923a489ae9dfbca

Entrypoint Preview

Instruction
dec eax
mov dword ptr [00037CB9h], ecx
dec eax
mov dword ptr [00037CBAh], edx
dec eax
or dword ptr [00037CFBh], esi
dec eax
mov dword ptr [00037CFCh], edi
dec eax
mov dword ptr [00037CFDh], ebx
dec eax
mov dword ptr [00037CA6h], ebp
dec eax
mov dword ptr [00037CA7h], esp
dec esp
mov dword ptr [00037CA8h], eax
dec esp
mov dword ptr [00037CA9h], ecx
dec esp
mov dword ptr [00037CC2h], esp
dec esp
mov dword ptr [00037CB3h], ebp
dec esp
or dword ptr [00037CA4h], esi
dec esp
mov dword ptr [00037C95h], edi
dec eax
lea esi, dword ptr [FFFFD97Eh]
jmp esi
ud2
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x102010	0x8ee	.ncm
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ba68	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0xfc98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0x28bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x610	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x90	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2779e	0x28000	False	0.761749267578	data	7.8179817907	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0xea5	0x1000	False	0.048095703125	data	0.477776163924	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.crt1	0x2a000	0x6fb	0x1000	False	0.25634765625	data	2.77764805072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xcc0	0x1000	False	0.44921875	data	4.04304284558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c000	0x41e09	0x42000	False	0.577795780066	data	6.66561055311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x6e000	0xb46	0x1000	False	0.0595703125	data	0.53656064431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
qwTG	0x6f000	0x2e9a2	0x2f000	False	0.818348986037	data	7.87184991211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0xfc98	0x10000	False	0.223709106445	data	4.08759024615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0x28bc	0x3000	False	0.105550130208	data	5.14379878517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.lqen	0xb1000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vqb	0xf7000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gjd	0xf9000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wqhqlp	0xfb000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jriz	0xfd000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ebkl	0xff000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.aoj	0x100000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ncm	0x102000	0x8fe	0x1000	False	0.253662109375	data	3.69309347361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x9ee40	0x14a	data	English	United States
RT_STRING	0x9ef90	0x310	data	English	United States
RT_STRING	0x9f2a0	0x162	data	English	United States
RT_STRING	0x9f408	0x286	data	English	United States
RT_STRING	0x9f690	0x1cc	AmigaOS bitmap font	English	United States
RT_STRING	0x9f860	0x272	data	English	United States
RT_STRING	0x9fad8	0xee	data	English	United States
RT_STRING	0x9fbc8	0x144	data	English	United States
RT_STRING	0x9fd10	0xda	data	English	United States
RT_STRING	0x9fdf0	0x20e	data	English	United States
RT_STRING	0xa0000	0x326	data	English	United States
RT_STRING	0xa0328	0x33a	data	English	United States
RT_STRING	0xa0668	0x58c	data	English	United States
RT_STRING	0xa0bf8	0x2ca	data	English	United States
RT_STRING	0xa0ec8	0x2ce	data	English	United States
RT_STRING	0xa1198	0x3c6	data	English	United States
RT_STRING	0xa1560	0x41c	data	English	United States
RT_STRING	0xa1980	0x380	data	English	United States
RT_STRING	0xa1d00	0x408	data	English	United States
RT_STRING	0xa2108	0x4cc	data	English	United States
RT_STRING	0xa25d8	0x206	data	English	United States
RT_STRING	0xa27e0	0x50a	data	English	United States
RT_STRING	0xa2cf0	0x168	data	English	United States
RT_STRING	0xa2e58	0x12a	data	English	United States
RT_STRING	0xa2f88	0x36c	data	English	United States
RT_STRING	0xa32f8	0x2a8	data	English	United States
RT_STRING	0xa35a0	0x1de	data	English	United States
RT_STRING	0xa3780	0x3ec	data	English	United States
RT_STRING	0xa3b70	0x354	data	English	United States
RT_STRING	0xa3ec8	0x19c	data	English	United States
RT_STRING	0xa4068	0x27e	data	English	United States
RT_STRING	0xa42e8	0x3d8	data	English	United States
RT_STRING	0xa46c0	0x396	data	English	United States
RT_STRING	0xa4a58	0x336	data	English	United States
RT_STRING	0xa4d90	0x242	data	English	United States
RT_STRING	0xa4fd8	0x1ac	data	English	United States
RT_STRING	0xa5188	0x2f4	data	English	United States
RT_STRING	0xa5480	0x3ec	data	English	United States
RT_STRING	0xa5870	0x570	data	English	United States
RT_STRING	0xa5de0	0x3b2	Hitachi SH big-endian COFF object file, not stripped, 9472 sections, symbol offset=0x4b004200, 83895552 symbols, optional header size 12544	English	United States
RT_STRING	0xa6198	0x3aa	data	English	United States
RT_STRING	0xa6548	0x2c0	data	English	United States
RT_STRING	0xa6808	0x226	data	English	United States
RT_STRING	0xa6a30	0x248	data	English	United States
RT_STRING	0xa6c78	0x8f0	data	English	United States
RT_STRING	0xa7568	0x6aa	data	English	United States
RT_STRING	0xa7c18	0x456	data	English	United States
RT_STRING	0xa8070	0x522	data	English	United States
RT_STRING	0xa8598	0x51c	data	English	United States
RT_STRING	0xa8ab8	0x492	data	English	United States
RT_STRING	0xa8f50	0x432	data	English	United States
RT_STRING	0xa9388	0x6ec	data	English	United States
RT_STRING	0xa9a78	0x214	data	English	United States
RT_STRING	0xa9c90	0x472	AmigaOS bitmap font	English	United States
RT_STRING	0xaa108	0x3a2	data	English	United States
RT_STRING	0xaa4b0	0xb4	data	English	United States
RT_STRING	0xaa568	0x466	data	English	United States
RT_STRING	0xaa9d0	0x4b2	data	English	United States
RT_STRING	0xaae88	0x312	data	English	United States
RT_STRING	0xab1a0	0x106	data	English	United States
RT_STRING	0xab2a8	0x24e	data	English	United States
RT_STRING	0xab4f8	0x2b0	data	English	United States
RT_STRING	0xab7a8	0x392	data	English	United States
RT_STRING	0xabb40	0x34a	data	English	United States
RT_STRING	0xabe90	0x404	data	English	United States
RT_STRING	0xac298	0x3fc	data	English	United States
RT_STRING	0xac698	0x27a	data	English	United States
RT_STRING	0xac918	0xa8	data	English	United States
RT_STRING	0xac9c0	0xda	data	English	United States
RT_STRING	0xacaa0	0x2b2	data	English	United States
RT_STRING	0xacd58	0x274	data	English	United States
RT_STRING	0xacfd0	0x37c	data	English	United States
RT_STRING	0xad350	0x3fe	data	English	United States
RT_STRING	0xad750	0x2c0	data	English	United States
RT_STRING	0xada10	0x284	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetBinaryTypeW, GetModuleFileNameW, GetExitCodeProcess, GetModuleHandleW, GetCurrentProcess, GetCurrentProcessId, GetUserDefaultUILanguage
USER32.dll	SetProcessDefaultLayout, IsProcessDPIAware, ChildWindowFromPointEx, GetThreadDesktop
GDI32.dll	GetCharWidthW, FlattenPath
ADVAPI32.dll	InitiateSystemShutdownExW

Exports

Name	Ordinal	Address
IsInteractiveUserSession	1	0x140017388
QueryActiveSession	2	0x140026c6c
QueryUserToken	3	0x140004bc4
RegisterUsertokenForNoWinlogon	4	0x1400052fc
WTSCloseServer	5	0x14001e6dc
WTSConnectSessionA	6	0x140008eb8
WTSConnectSessionW	7	0x140011548
WTSCreateListenerA	8	0x140002340
WTSCreateListenerW	9	0x140017290
WTSDisconnectSession	10	0x140025978
WTSEnableChildSessions	11	0x14001e7b8
WTSEnumerateListenersA	12	0x140027d54
WTSEnumerateListenersW	13	0x140006740
WTSEnumerateProcessesA	14	0x140015468
WTSEnumerateProcessesExA	15	0x140001ccc
WTSEnumerateProcessesExW	16	0x1400283d0
WTSEnumerateProcessesW	17	0x140007568
WTSEnumerateServersA	18	0x14001faec
WTSEnumerateServersW	19	0x140016480
WTSEnumerateSessionsA	20	0x14000f194
WTSEnumerateSessionsExA	21	0x14001add4
WTSEnumerateSessionsExW	22	0x140010c34
WTSEnumerateSessionsW	23	0x140010830
WTSFreeMemory	24	0x1400079e8
WTSFreeMemoryExA	25	0x140001a10
WTSFreeMemoryExW	26	0x14000d420
WTSGetChildSessionId	27	0x140012468
WTSGetListenerSecurityA	28	0x14002160c
WTSGetListenerSecurityW	29	0x140022934
WTSIsChildSessionsEnabled	30	0x14000e2b4
WTSLogoffSession	31	0x140017848
WTSOpenServerA	32	0x14000d7b0
WTSOpenServerExA	33	0x140023da0
WTSOpenServerExW	34	0x140014938
WTSOpenServerW	35	0x14000b28c
WTSQueryListenerConfigA	36	0x14000adf4
WTSQueryListenerConfigW	37	0x140021de0
WTSQuerySessionInformationA	38	0x140026480
WTSQuerySessionInformationW	39	0x14000b01c
WTSQueryUserConfigA	40	0x14001ef04
WTSQueryUserConfigW	41	0x140018ee4
WTSQueryUserToken	42	0x1400161ac
WTSRegisterSessionNotification	43	0x1400247a8
WTSRegisterSessionNotificationEx	44	0x1400234c4
WTSSendMessageA	45	0x140011c24
WTSSendMessageW	46	0x140020f44
WTSSetListenerSecurityA	47	0x140019a50
WTSSetListenerSecurityW	48	0x1400010a8
WTSSetRenderHint	49	0x140019d14
WTSSetSessionInformationA	50	0x14000c4d4
WTSSetSessionInformationW	51	0x140002d30
WTSSetUserConfigA	52	0x140028434
WTSSetUserConfigW	53	0x140024668
WTSShutdownSystem	54	0x140016b6c
WTSStartRemoteControlSessionA	55	0x140008fc0
WTSStartRemoteControlSessionW	56	0x140010620
WTSStopRemoteControlSession	57	0x14001f8fc
WTSTerminateProcess	58	0x140004a04
WTSUnRegisterSessionNotification	59	0x1400135e0
WTSUnRegisterSessionNotificationEx	60	0x140002d0c
WTSVirtualChannelClose	61	0x140028138
WTSVirtualChannelOpen	62	0x14001f368
WTSVirtualChannelOpenEx	63	0x140003fbc
WTSVirtualChannelPurgeInput	64	0x140009418
WTSVirtualChannelPurgeOutput	65	0x1400088c4
WTSVirtualChannelQuery	66	0x1400214e4
WTSVirtualChannelRead	67	0x140002f3c
WTSVirtualChannelWrite	68	0x140013f94
WTSWaitSystemEvent	69	0x140004dac

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwSetEvent	INLINE	explorer.exe
RtlAllocateMemoryBlockLookaside	INLINE	explorer.exe
RtlAllocateMemoryZone	INLINE	explorer.exe
NtSetEvent	INLINE	explorer.exe

Processes

Function Name	Hook Type	New Data
ZwSetEvent	INLINE	0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
RtlAllocateMemoryBlockLookaside	INLINE	0x48 0x88 0x89 0x9E 0xE0 0x03
RtlAllocateMemoryZone	INLINE	0x8D 0xDA 0xAC 0xC2 0x24 0x49
NtSetEvent	INLINE	0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Target ID:	1
Start time:	21:45:11
Start date:	12/04/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\x64.dll"
Imagebase:	0x7ff60a190000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.435584389.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Target ID:	2
Start time:	21:45:11
Start date:	12/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Imagebase:	0x7ff602050000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	21:45:12
Start date:	12/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\x64.dll,IsInteractiveUserSession
Imagebase:	0x7ff6d35e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.508980143.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Target ID:	4
Start time:	21:45:12
Start date:	12/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\x64.dll",#1
Imagebase:	0x7ff6d35e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.415891174.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Target ID:	5
Start time:	21:45:14
Start date:	12/04/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	21:45:15
Start date:	12/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\x64.dll,QueryActiveSession
Imagebase:	0x7ff6d35e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.421971716.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Target ID:	8
Start time:	21:45:19
Start date:	12/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\x64.dll,QueryUserToken
Imagebase:	0x7ff6d35e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.429395051.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Target ID:	16
Start time:	21:46:11
Start date:	12/04/2022
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:	0x7ff6bd590000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	17
Start time:	21:46:13
Start date:	12/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\Cjaq.cmd
Imagebase:	0x7ff602050000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	20
Start time:	21:46:14
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	24
Start time:	21:46:25
Start date:	12/04/2022
Path:	C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Imagebase:	0x7ff7e4380000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.622884365.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Target ID:	25
Start time:	21:46:26
Start date:	12/04/2022
Path:	C:\Windows\System32\MDMAppInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MDMAppInstaller.exe
Imagebase:	0x7ff7b4780000
File size:	145920 bytes
MD5 hash:	E2C777B6E3CE4C15C5657429A63787A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	26
Start time:	21:46:31
Start date:	12/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\tkcfGo.cmd
Imagebase:	0x7ff602050000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	27
Start time:	21:46:32
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	28
Start time:	21:46:34
Start date:	12/04/2022
Path:	C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Imagebase:	0x7ff7e4380000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.595393684.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security

Target ID:	29
Start time:	21:46:34
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /F /TN "Jvadjthzpd" /TR C:\Windows\system32\CCAL\MDMAppInstaller.exe /SC minute /MO 60 /RL highest
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	30
Start time:	21:46:36
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	31
Start time:	21:46:37
Start date:	12/04/2022
Path:	C:\Windows\System32\CCAL\MDMAppInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\CCAL\MDMAppInstaller.exe
Imagebase:	0x7ff6c5240000
File size:	145920 bytes
MD5 hash:	E2C777B6E3CE4C15C5657429A63787A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.604615787.0000000140001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Target ID:	33
Start time:	21:46:43
Start date:	12/04/2022
Path:	C:\Users\user\AppData\Roaming\R3POs\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\R3POs\wermgr.exe"
Imagebase:	0x7ff7e4380000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.611146050.0000000140001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security

Target ID:	34
Start time:	21:46:56
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	35
Start time:	21:46:57
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	36
Start time:	21:47:20
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	37
Start time:	21:47:21
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	38
Start time:	21:47:42
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	39
Start time:	21:47:43
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	40
Start time:	21:48:04
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	41
Start time:	21:48:05
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	42
Start time:	21:48:26
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	43
Start time:	21:48:26
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	44
Start time:	21:48:47
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	45
Start time:	21:48:48
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	46
Start time:	21:49:09
Start date:	12/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /Query /TN "Jvadjthzpd"
Imagebase:	0x7ff701990000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	47
Start time:	21:49:09
Start date:	12/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language