Windows Analysis Report mal2.dll

Overview

General Information

Sample Name:	mal2.dll
Analysis ID:	532100
MD5:	9efbd03d5576686dd9f0678c09abe9fc
SHA1:	0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256:	972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.0.loaddll32.exe.d33b80.10.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: mal2.dll

ReversingLabs: Detection: 24%

Compliance:

Uses 32bit PE files

Source: mal2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: mal2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.573738619.0000000000F47000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.581262316.0000000000917000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000019.00000003.602237788.0000000000BBB000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.593818088.00000000003D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC2FE7 FindFirstFileExW,		0_2_6EDC2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC2FE7 FindFirstFileExW,		2_2_6EDC2FE7

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Source: svchost.exe, 00000004.00000002.567333158.0000028217E61000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640708267.0000000001128000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.639198752.0000000001128000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000004.00000002.567003860.0000028217E12000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000002.566413205.00000282128AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
Source: Amcache.hve.22.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.388912529.0000020B26E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com/
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.387900433.0000020B26E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388989382.0000020B26E6B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.387936814.0000020B26E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.388983797.0000020B26E66000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.388943903.0000020B26E41000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388024416.0000020B26E3E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388970566.0000020B26E56000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388048361.0000020B26E50000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.782138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.782138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.32a2138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.7a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.32a2138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.d13d58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d33b80.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.d13d58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.566657802.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.642601650.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.567231949.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597839039.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596491370.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.564537877.000000000076A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.564875818.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.568652514.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643009162.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.545043648.0000000001060000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596841009.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.526115475.0000000003368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.564451857.0000000000650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.598456484.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.543502348.0000000000BA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.568840979.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.564446850.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.543542843.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: mal2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EDBD350 appears 32 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EDA1C10 appears 92 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDBD350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDA1C10 appears 97 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mal2.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5544:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4568:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1456

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007A151C push ds; ret	0_2_007A1527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007A150F push ds; ret	0_2_007A1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0106150F push ds; ret	2_2_01061527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0106151C push ds; ret	2_2_01061527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC9153 push ecx; ret	2_2_6EDC9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00DA151C push ds; ret	5_2_00DA1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00DA150F push ds; ret	5_2_00DA1527

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6152	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4644	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	API coverage: 7.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 9.8 %

Source: Amcache.hve.22.dr	Binary or memory string: VMware
Source: Amcache.hve.22.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000004.00000002.567333158.0000028217E61000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000019.00000003.639184264.0000000001110000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640688899.0000000001112000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000004.00000002.565370387.0000028212829000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.567296199.0000028217E55000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640605241.00000000010E0000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.639184264.0000000001110000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640688899.0000000001112000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.661148493.0000016AA0A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007B4315 mov eax, dword ptr fs:[00000030h]	0_2_007B4315
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBC050 mov eax, dword ptr fs:[00000030h]	0_2_6EDBC050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBBFE0 mov esi, dword ptr fs:[00000030h]	0_2_6EDBBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBBFE0 mov eax, dword ptr fs:[00000030h]	0_2_6EDBBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC12CB mov ecx, dword ptr fs:[00000030h]	0_2_6EDC12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC298C mov eax, dword ptr fs:[00000030h]	0_2_6EDC298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_01074315 mov eax, dword ptr fs:[00000030h]	2_2_01074315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBC050 mov eax, dword ptr fs:[00000030h]	2_2_6EDBC050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBBFE0 mov esi, dword ptr fs:[00000030h]	2_2_6EDBBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBBFE0 mov eax, dword ptr fs:[00000030h]	2_2_6EDBBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC12CB mov ecx, dword ptr fs:[00000030h]	2_2_6EDC12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC298C mov eax, dword ptr fs:[00000030h]	2_2_6EDC298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00DB4315 mov eax, dword ptr fs:[00000030h]	5_2_00DB4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EDBCB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EDBD1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EDC29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EDBCB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EDBD1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EDC29E6

Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.22.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.22.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000C.00000002.661306381.000001F0AB03E000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.661514183.000001F0AB102000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661194912.000001F0AB029000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532100
Product:	CloudBasic
Start time:	18:26:06
Start date:	01.12.2021
Sample:	mal2.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9efbd03d5576686dd9f0678c09abe9fc
SHA1:	0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256:	972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report mal2.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	46882A6830E76E84809FF61D41FC1A60	62C986CAD7FC75056669C8366B6299D7EC088CA9	763C6AFC1CDB01A68D4CA86AB03C92DF28C1E60C840AECC73FA960C48D26CD32
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xecb7d22b, page size 16384, Windows version 10.0	A47C47EF3D00475460F84F8516370E92	7F689445BF7967C5252B85CA244EE87D5B5C30C9	4F0043163E1434024C3DE253F0DAF6FE34477506B00A169EF90DEEEDC8B172BE
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	400EA9108E962862766500814F7D3466	87F9A5FC0B7C862F8C32D5847BCEF1C9450FE8A3	FD04432EDFD989575D48B36ECC56286B108A9917AB6A23E340A5168DB780C7BF
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_12d2c47d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	BE82113082E2819C42982B02E0A9BD2E	0063CD51A4884D06C037EDAED974D114F1AE3B69	71EA212CDCB5DA9D3FB46094F4F25860CC7938FFBC922EAE53A7DE6F02E5149F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_11fb1c03\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5B1C5CCFBA925A0022F40E0CEE00FEDB	CA6DA28C640B5982213ACEF6FEC1B111C089EE22	57535D7DA24E9548E19ECAE80CEA01F7D68326C3EEC78D647305F3F7B3399D1F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB46F.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 02:29:43 2021, 0x1205a4 type	AAB65F6BFD0CCCB966FA7D8B3C42EED1	C5208BC22BF1768A49E1FAC1868CE5786BC7496B	DB94B5E3D75A56D250D4A656C127B918D42A8B88635C72D0D4C3811F2C23DE9E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8C6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E1387B79527B0F7C5B2F7AF6E4A19E54	44B0651BB01C15A2813E87D0D623A0F02354EA1B	420AE0927113DAF8FD0BC36D83AB80D62239FB7E9B7AE97DDF382FD72CDEFAA0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC41.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2D3F62C4A24855DABE5433BF864A0808	425FDF2F32B9B96E06F14A0737032C6D05F1D61F	BFA43B078D32ADB3D8A78A94108E56A392A80539D2F451E338647F61858FFF58
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD250.tmp.csv	data	9D6EA18F0C9A3E42895DCE6A7D053153	292776A1784841FB8747847B331AF63CC0BE3B5F	3AA4FBF2E7004BFF21138200358B14F8163767731CD42A4A998E08E996458596
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD704.tmp.txt	data	8BCF9317469B01F7DA25DEBEB94A1BC3	0C8E3189A1989713BC69F55BCECC9A7259C59EDC	81A00250D03925CE08193E09D29FCA1034984D12ED7268F7DA2FEEC1F3505B99
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2B.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 02:29:53 2021, 0x1205a4 type	B6F12D89DCD06074C15E346D0C902E31	13044E542E7BDE9206E9825793CF5F392E16F43D	1D1EA0E145FECBFAE10B1267DF2ED6619DB413D1A0AB930E4065875FF9939DA1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6BB.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E93183C3F58E98E6C1E7DA3D5B4F4ACE	A380DC8E1EC24DE82245EAFAA86E036038CCB650	9825CFD4238956F06D375D3065938D03A0CEEED6C4E657DE6CD2A3D1FA28FAF3
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAD3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0CCD3E2FE0BCD82AFC1EF99DC0F4B7FE	540B7C5A57950860C3DAB0B07F22C461C6B52EB1	8AF913F7FD1C2FA96865DCC8F62FB4F94C9A32F673AB8AB2C91864911CD94E65
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D.tmp.txt	data	56AE4194C1BB65AD9AF492B9491A5C71	15B5F6602BEE253ED6D9CE5F8010BD8FFAC71029	7212649472ABFBE93D55BB3A2E96A261A09CCAB292AFBB723DDD54E1C2CCAD8D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFDB.tmp.csv	data	CCAEEAC32B5802D28F61DC7EB35C34B6	22B309FDB15FE6C3A19670D7F3C60B029CD95906	DB8FF87D34A276D88FD5E154A2EFEE86C440FAEDB82344B95A7D7FE6DC6A5F53
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	95A18A0B546B551A9112E9FEBA266B36	BA13E20597440DEEA08F7EA9DE5005359510D0FF	BC6DE2D0EDE221EB64960702F74D1F894897F276389FC07DC69E9033E5671555
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_022741_833.etl	data	E0D1E78802BDE82B83FD99A15EF7BABA	B3DC38EBD2659EFBA4CE05162C54A32E76DCE98A	DF16AD69D70D465FAC34CB8F4053CA88A4438A02C8BF5535B4F7BBCF7195E661
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	045F66989BC9205C456E041FFFC8F4ED	658910D42949706991D1B2456FA0A15ED51EFEE2	494836BB7203B77BD212C641C1FFC4C82CA86FE0A8716604C8982D62B53FBE3A
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	F1B58F5B7D299D4061CA93F06CEB6B6E	ED84123DB60948661D8BAE7F50B35057673F4ADC	E3BD54AA97BE3E68FBF0C4A185A622D67132835F785F516BCF5EA231B3E23E29