Windows Analysis Report mal2.exe

Overview

General Information

Sample Name:	mal2.exe (renamed file extension from exe to dll)
Analysis ID:	532100
MD5:	9efbd03d5576686dd9f0678c09abe9fc
SHA1:	0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256:	972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.rundll32.exe.33f3568.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: mal2.dll

ReversingLabs: Detection: 24%

Compliance:

Uses 32bit PE files

Source: mal2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: mal2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.594790225.00000000005D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594905984.00000000005D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594721838.0000000004257000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.594862234.00000000005D9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594794787.00000000005D9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.594862234.00000000005D9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594794787.00000000005D9000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.594790225.00000000005D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594905984.00000000005D3000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.596491240.00000000045E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.625997812.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.605555284.0000000000162000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F2FE7 FindFirstFileExW,		0_2_6E9F2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9F2FE7 FindFirstFileExW,		3_2_6E9F2FE7

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Source: svchost.exe, 00000005.00000002.627977305.0000017C92263000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.645558527.0000000004D80000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.647849827.0000000004D82000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000018.00000002.647603781.0000000003238000.00000004.00000020.sdmp	String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000005.00000002.627977305.0000017C92263000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.445658680.000001F6D4413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.785008131.0000020F91447000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.785008131.0000020F91447000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.785008131.0000020F91447000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com/
Source: svchost.exe, 00000008.00000002.785008131.0000020F91447000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.784824630.0000020F91429000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.784824630.0000020F91429000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420087744.000001F6D444D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.420113403.000001F6D4442000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.456157837.000001F6D4444000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420122458.000001F6D4443000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.420113403.000001F6D4442000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.456157837.000001F6D4444000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420122458.000001F6D4443000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.463794574.000001F6D446B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420041356.000001F6D4469000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.445658680.000001F6D4413000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.420113403.000001F6D4442000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.456157837.000001F6D4444000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420122458.000001F6D4443000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.458236717.000001F6D4450000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420079711.000001F6D444F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.420098538.000001F6D4449000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420113403.000001F6D4442000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457191441.000001F6D444A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000A.00000003.420087744.000001F6D444D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.420098538.000001F6D4449000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457191441.000001F6D444A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.420098538.000001F6D4449000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457191441.000001F6D444A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.420109133.000001F6D4447000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.420073505.000001F6D4452000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.420113403.000001F6D4442000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.456157837.000001F6D4444000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.420122458.000001F6D4443000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000A.00000002.455572728.000001F6D4441000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.450549356.000001F6D4429000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.371729055.000001F6D4434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.454601455.000001F6D443D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.454601455.000001F6D443D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.33f3568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.34a3590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2e43620.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2e43620.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.743608.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2d13590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.743608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.33f3568.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.3d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.743608.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.34a3590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2d13590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.582902080.00000000003D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648394572.00000000003D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.583952569.000000000073C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582956002.000000000073C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.584098715.000000000348A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.516939177.0000000002A69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.583809959.00000000003D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.609571158.00000000003D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.584033877.0000000003310000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.608882072.000000000073C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.529764323.00000000033DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.529712729.0000000002FD0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.689618667.0000000002E43000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648560636.000000000073C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.608527561.00000000003D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.689328913.0000000002B90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.610069085.000000000073C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.591122734.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.533471939.0000000002810000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.591237102.0000000002CFA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: mal2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7004 -ip 7004

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Uikrpc\tumwlrzamddm.oli:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9D1C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9ED350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E9D1C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E9ED350 appears 33 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mal2.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uikrpc\tumwlrzamddm.oli",YjMy
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7004 -ip 7004
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 308
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7004 -ip 7004
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uikrpc\tumwlrzamddm.oli",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uikrpc\tumwlrzamddm.oli",YjMy	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uikrpc\tumwlrzamddm.oli",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7004 -ip 7004	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 308	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7004 -ip 7004	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 316	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5480:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4152:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7120:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_003D151C push ds; ret	0_2_003D1527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_003D150F push ds; ret	0_2_003D1527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F9153 push ecx; ret	0_2_6E9F9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02826496 push ecx; retf	3_2_02826497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0281150F push ds; ret	3_2_02811527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0281151C push ds; ret	3_2_02811527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0282B16F push ss; retf	3_2_0282B182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9F9153 push ecx; ret	3_2_6E9F9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FE6496 push ecx; retf	4_2_02FE6497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FEB16F push ss; retf	4_2_02FEB182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FD151C push ds; ret	4_2_02FD1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FD150F push ds; ret	4_2_02FD1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0331151C push ds; ret	6_2_03311527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0331150F push ds; ret	6_2_03311527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0332B16F push ss; retf	6_2_0332B182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_03326496 push ecx; retf	6_2_03326497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02C76496 push ecx; retf	7_2_02C76497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02C7B16F push ss; retf	7_2_02C7B182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02C6150F push ds; ret	7_2_02C61527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02C6151C push ds; ret	7_2_02C61527

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 2168	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4720	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 9.3 %

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000005.00000002.627977305.0000017C92263000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000005.00000002.627940866.0000017C92256000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.626695848.0000017C8CC29000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.647786579.0000000004D50000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.645558527.0000000004D80000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.647849827.0000000004D82000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: svchost.exe, 00000008.00000002.785008131.0000020F91447000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.785032852.00000183EA629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_003E4315 mov eax, dword ptr fs:[00000030h]	0_2_003E4315
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EC050 mov eax, dword ptr fs:[00000030h]	0_2_6E9EC050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EBFE0 mov esi, dword ptr fs:[00000030h]	0_2_6E9EBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EBFE0 mov eax, dword ptr fs:[00000030h]	0_2_6E9EBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F12CB mov ecx, dword ptr fs:[00000030h]	0_2_6E9F12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F298C mov eax, dword ptr fs:[00000030h]	0_2_6E9F298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02824315 mov eax, dword ptr fs:[00000030h]	3_2_02824315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9EC050 mov eax, dword ptr fs:[00000030h]	3_2_6E9EC050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9EBFE0 mov esi, dword ptr fs:[00000030h]	3_2_6E9EBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9EBFE0 mov eax, dword ptr fs:[00000030h]	3_2_6E9EBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9F12CB mov ecx, dword ptr fs:[00000030h]	3_2_6E9F12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9F298C mov eax, dword ptr fs:[00000030h]	3_2_6E9F298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FE4315 mov eax, dword ptr fs:[00000030h]	4_2_02FE4315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_03324315 mov eax, dword ptr fs:[00000030h]	6_2_03324315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02C74315 mov eax, dword ptr fs:[00000030h]	7_2_02C74315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9ECB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E9ECB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9ED1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9ED1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9F29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9ECB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E9ECB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9ED1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E9ED1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9F29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E9F29E6

Source: loaddll32.exe, 00000000.00000000.587470412.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.609050621.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.610170018.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.583006509.0000000000F60000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.787416473.0000000002DB0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000000.587470412.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.609050621.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.610170018.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.583006509.0000000000F60000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.787416473.0000000002DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.587470412.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.609050621.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.610170018.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.583006509.0000000000F60000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.787416473.0000000002DB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.587470412.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.609050621.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.610170018.0000000000F60000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.583006509.0000000000F60000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.787416473.0000000002DB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000C.00000002.784851404.000001B3C2A40000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.785074018.000001B3C2B02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532100
Product:	CloudBasic
Start time:	18:09:23
Start date:	01.12.2021
Sample:	mal2.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9efbd03d5576686dd9f0678c09abe9fc
SHA1:	0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256:	972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report mal2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	B2D45A80EA769F25C1C2EFDD67818C3A	45AC7A4AECB297426301AC11FC4DF16551BBAAC9	5C083C754299A4D45F65F8A74042F97FF42E26316F60C5CF2AC8AA84C8D2ED7E
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x16be3dae, page size 16384, Windows version 10.0	63702945B791BBB0C21E40878F2A5902	8A0ED5C5807DBF6C51B0EF4EA541E73D2C4B1121	26C672ECC68B6B031FE175CCFAED8FA2C31579A37673200AB3CADFC20D492359
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	8CA951A8A7C1C8A9DACAA71B609D252F	9A6E040171D53DB4215BE31EDB6A179E64F7CAC6	7E479E3240DA4D61AB81231F0B350F1E810D251809FA7D953C54AB910C3AE9DF
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8f98a6f9895b5a351f9a3e818d899c7f87e7c39c_d70d8aa6_123f08d6\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	51B76B0379E94D60BCEE38EF6771D5BB	DB76C11D87138DA8DAFF21CE3DBC4F49D5CB833F	FFD4C554AC1546ADEF3BE859F5AEFE12EE0C4FD78E33DD7D3B46F594DEEF43F3
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_c88ef9c8adc7184426523373a8db842e0fd5b2a_d70d8aa6_1bb754a4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	CDA0FB1E6A591094C106B5158EBE1C9D	0236BEA4B212F842FC3928773D669AE3D2E1B2C3	22F608F1D8782385FF97ADB0A614DB7E0103F408695E6797E7E39D055C5C44BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E23.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 02:13:15 2021, 0x1205a4 type	2C4D62CC88717CC16B20E26D6AAA523F	B2EEC3F7353D7D562834F5E81EE80B0D83C56CA5	A41FC2670FA57445DAB6C93AC789391A83CBE29385F1B98DE623430CB6826267
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B5B.tmp.csv	data	F704F9AE085C2CCC51E3B37B5A68DFE3	6F0A1F98B0E06DDF956E3B8C61DF55273446D142	EFF204574EE97A4AE40CEC16E9228126E7D18F29E78533A8FC62DE3D48A7C302
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F05.tmp.txt	data	9D9F8B22466D8BA50B02FF98B0F7C6C3	07956404C1BEC89AB3BDE05D2B15A67F88066781	7646F378ACCA679D6E379C305E7728CD01D892747552214921423E3B0BFF3145
C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	5B0A2062FAA55CC78242B7E69034BF12	90456C6AA95D2B9426CB584E0686D7B7922E4E41	A8A0729294D9FBACEB9E5D55478595F4CE3030E0F1B8F8F6C2132B7F46B47542
C:\ProgramData\Microsoft\Windows\WER\Temp\WER37E7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A1B6B041C21EE3BE5B6FB46B239C1DBB	40AF645A3B5ECB412ABD7B15E26797ADF933F779	CDDD4313FEB364D60F80FFF918CBEC7E5FEA31A90D9E72BBEB1CA00574BB8B94
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF332.tmp.csv	data	2F9D4E1607FC24DD03F01DD170D2B9A8	8FA16BF2E54680E537D5B2C358BA0AB5E9DABD38	FF7114A8B3D440724F271649D8FE49B8301F8D445F9CFB7936FADF062C673287
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8C8.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 02:13:05 2021, 0x1205a4 type	F8961A93E50ED97FFE44916749FCEAC7	5689BAE7D2A7DB46F82341446208835091C019BB	8FD8510E9EDCEF00977C874670F4CD0AD95896F557CC90737CDB459A911984FD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF93D.tmp.txt	data	FAA6916AB10486DBDCDA647FD3C22ECC	7BC2EA7F84AA1D9C4E8FF1499E0C49E043545734	D1C691161044900D903896BC1FAFF5FA543CD7A0CB0717101434925ED7CB2E80
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBB7.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D4C611C377032E97C2514E543BB198B4	91A8A0CD69F4772E4E8BB7D4084F5CF46EB135BF	7740A1B3FB7690E525C0526C7CAEB3290AF346949FB78E571970FE06BC4544D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFDF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	901E663F0689D125D6ED87EBC8E7EBEF	9EBD1B7A72B205A1F995C0DF47685FF07ECEAE01	0824B40182C7B089DCB66351F0F2D9C1FDE066769E6E7B014409EECF8FA2A36D
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	708EB5390168D51F37F4E458111AE8C0	32A1F28C8D08B78FF0AC63D928828BF4579A3FE5	15D587646AB66CD629120DA96B4F2043484269593D358D0CEE8C2894776056F8
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_021113_237.etl	data	FA329CB7429526B6B8B03ADEEC413C38	3FBFA81DF63214471F74855DF2BE06F66B07D83C	50D80E5A9FCF52876BE9AD97E3A1278702058E90838C4C343B8218532FBBBB9B
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	7D64DE8A1535F4B540BB6ED4F7E51FF4	2BEDF1022F0A77D4753646BA64F5C4F5D6F689D5	60C7918C794CEDC0432EBAB947B5D2EB7C121013A453FC6D876BC542D9AC3AFC
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	35695BB667336783ACB77AEB95BE7D00	1A6F38BEF0C27EDB367C857262A0FCFCC9F6B082	B78F86458D4F5F86622245D0C68CC07F81F8B6A8E3286CDE19D2CDD073605BB6