Windows Analysis Report
sample

Overview

General Information

Sample Name:	sample (renamed file extension from none to dll)
Analysis ID:	676610
MD5:	8d925c0da257436438893e6fe7ce2f4f
SHA1:	c0ff465eb0b6ccc0f3a36bb593ced7453736a750
SHA256:	16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c
Tags:	dll
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: sample.dll	Virustotal: Detection: 80%	Perma Link
Source: sample.dll	Metadefender: Detection: 70%	Perma Link
Source: sample.dll	ReversingLabs: Detection: 85%

Antivirus / Scanner detection for submitted sample

Source: sample.dll

Avira: detected

Antivirus detection for URL or domain

Source: https://157.245.145.87:443/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/	Avira URL Cloud: Label: malware
Source: https://163.53.204.180:443/8vl90912xxgd2/vzcu9no9/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: sample.dll

Joe Sandbox ML: detected

Source: 2.2.rundll32.exe.10000000.2.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Uses 32bit PE files

Source: sample.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:

Binary string: WaaSMedicSvc.pdb source: waasmedic.20220801_204255_503.etl.15.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.202.10.123 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 203.157.152.9 7080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.93.3.85 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 172.96.190.154 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 109.99.146.210 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.107.118.125 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 163.53.204.180 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 157.245.145.87 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.55.186.229 80	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: MOPH-TH-APInformationTechnologyOfficeSG MOPH-TH-APInformationTechnologyOfficeSG

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 116.202.10.123 116.202.10.123
Source: Joe Sandbox View	IP Address: 203.157.152.9 203.157.152.9

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ HTTP/1.1DNT: 0Referer: 157.245.145.87/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/Content-Type: multipart/form-data; boundary=-----------------------mlpYKhZmEPpzkygQscIgNsfUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 157.245.145.87:443Content-Length: 5636Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /8vl90912xxgd2/vzcu9no9/ HTTP/1.1DNT: 0Referer: 163.53.204.180/8vl90912xxgd2/vzcu9no9/Content-Type: multipart/form-data; boundary=---------------57LyBAPiCcL27kGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 163.53.204.180:443Content-Length: 5604Connection: Keep-AliveCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49759 -> 203.157.152.9:7080
Source: global traffic	TCP traffic: 192.168.2.3:49769 -> 109.99.146.210:8080
Source: global traffic	TCP traffic: 192.168.2.3:49800 -> 116.202.10.123:8080
Source: global traffic	TCP traffic: 192.168.2.3:49834 -> 91.93.3.85:8080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85

Source: svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.601254264.000001B27DF8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001D.00000003.601254264.000001B27DF8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.771526446.0000029548DE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633814471.000001B27DF06000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.619778397.000001B27DF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.619719368.000001B27DF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DataStore.edb.13.dr	String found in binary or memory: http://crl.m
Source: sample.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.770223866.00000295439CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: sample.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/crup/2019/01/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_base_c14780cb9d5b4186
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_base_f13cce5fe6d5899e
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_delta_1d89462b9fd63f7
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_delta_2515cac5324726b
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_engine_4a6bfe9bdf9610
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103729-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/09/windows10.0-kb4457146-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/11/windows10.0-kb4467694-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/02/windows10.0-kb4487038-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows10.0-kb4489907-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/04/windows10.0-kb4493478-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/05/windows10.0-kb4497932-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503308-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2018/10/windows10.0-kb4462930-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/02/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/02/windows10.0-kb4346084-v3
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/03/windows10.0-kb4480730-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/06/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2019/03/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/11/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/12/mpsigstub_e2cf99f9fe2435
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/05/am_engine_4bd807c2ad329f
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_26592077dcd864e
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_71582bbecccb8ef
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_7500d7907ca7757
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_830990588e5a078
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4287903-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338832-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/08/windows10.0-kb4343902-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/11/windows10.0-kb4477029-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/12/windows10.0-kb4471331-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/01/windows10.0-kb4480979-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2018/09/windows10.0-kb4100347-v3
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2018/10/windows10.0-kb4100347-v4
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/02/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/03/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/05/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/05/windows10.0-kb4480730-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/04/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/05/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/06/windows-kb890830-x64-v5.
Source: sample.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: http://www.windowsphone.com/
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: http://www.xbox.com/
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363263870.000001E26E264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://live.xbox.com/purchase/xbox/
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://login.windows.net/common
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://profile.xboxlive.com/users/batch/profile/settings
Source: sample.dll	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr	String found in binary or memory: https://storeedgefd.dsx.mp.micr
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363234025.000001E26E23B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown

HTTP traffic detected: POST /mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ HTTP/1.1DNT: 0Referer: 157.245.145.87/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/Content-Type: multipart/form-data; boundary=-----------------------mlpYKhZmEPpzkygQscIgNsfUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 157.245.145.87:443Content-Length: 5636Connection: Keep-AliveCache-Control: no-cache

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.341930535.00000000009EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.335758052.0000000000A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767352719.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332283199.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331704119.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331683572.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341884681.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.335476233.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332269283.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332361997.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.766565506.0000000000D60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767779490.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337892892.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341860463.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331772344.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360786510.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360804490.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360909118.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: sample.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A0F1	0_2_1001A0F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012C05	0_2_10012C05
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001806	0_2_10001806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002208	0_2_10002208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000240F	0_2_1000240F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E612	0_2_1000E612
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006417	0_2_10006417
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005418	0_2_10005418
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A821	0_2_1000A821
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010223	0_2_10010223
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10018C2B	0_2_10018C2B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D02D	0_2_1001D02D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012631	0_2_10012631
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10018A33	0_2_10018A33
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014C37	0_2_10014C37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004844	0_2_10004844
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E044	0_2_1000E044
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10015250	0_2_10015250
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010672	0_2_10010672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BE74	0_2_1000BE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001AA7B	0_2_1001AA7B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000327F	0_2_1000327F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000DE81	0_2_1000DE81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011090	0_2_10011090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014A9E	0_2_10014A9E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CAA3	0_2_1000CAA3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A6C9	0_2_1000A6C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A2D2	0_2_1000A2D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C6D9	0_2_1001C6D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D2DD	0_2_1000D2DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D4E1	0_2_1001D4E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D6F0	0_2_1000D6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ECFE	0_2_1000ECFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005F04	0_2_10005F04
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014F04	0_2_10014F04
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009106	0_2_10009106
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D70B	0_2_1001D70B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A525	0_2_1000A525
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009D2F	0_2_10009D2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CF31	0_2_1001CF31
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007731	0_2_10007731
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003336	0_2_10003336
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003938	0_2_10003938
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007B39	0_2_10007B39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C145	0_2_1000C145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019B4A	0_2_10019B4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013F4F	0_2_10013F4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001434E	0_2_1001434E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001135B	0_2_1001135B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C364	0_2_1000C364
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B165	0_2_1001B165
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A966	0_2_1001A966
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F369	0_2_1000F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B74	0_2_10003B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007378	0_2_10007378
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005B7D	0_2_10005B7D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017187	0_2_10017187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011F88	0_2_10011F88
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010B8A	0_2_10010B8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004D90	0_2_10004D90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013590	0_2_10013590
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C192	0_2_1001C192
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BB96	0_2_1000BB96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012FA1	0_2_10012FA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100193AA	0_2_100193AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003FAF	0_2_10003FAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ADAF	0_2_1000ADAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100147B5	0_2_100147B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100109B8	0_2_100109B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F9BA	0_2_1000F9BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FFBA	0_2_1000FFBA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019DBF	0_2_10019DBF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017BBE	0_2_10017BBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001DBC4	0_2_1001DBC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100057D4	0_2_100057D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DDF	0_2_10002DDF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F5E0	0_2_1000F5E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016BE4	0_2_10016BE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CBE7	0_2_1001CBE7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100067EF	0_2_100067EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BBF1	0_2_1001BBF1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100035FC	0_2_100035FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007FFE	0_2_10007FFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011DFE	0_2_10011DFE

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\sample.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5836
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000100B push ss; iretd	0_2_1000100C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008CEED0 push edx; ret	2_2_008CEFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B3868 push ebp; ret	2_2_008B3878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B13BB push ss; iretd	2_2_008B13C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B53F7 push 00000072h; retf	2_2_008B53FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B134B push 68244072h; iretd	2_2_008B1350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B146C pushad ; iretd	2_2_008B146D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D5EED0 push edx; ret	16_2_00D5EFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D43868 push ebp; ret	16_2_00D43878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D453F7 push 00000072h; retf	16_2_00D453FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D413BB push ss; iretd	16_2_00D413C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D4134B push 68244072h; iretd	16_2_00D41350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D4146C pushad ; iretd	16_2_00D4146D

Source: sample.dll	Static PE information: section name: .text4
Source: sample.dll	Static PE information: section name: .text8
Source: sample.dll	Static PE information: section name: .text7
Source: sample.dll	Static PE information: section name: .text6
Source: sample.dll	Static PE information: section name: .text5

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4588	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5940	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4880	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: svchost.exe, 0000001D.00000002.633610730.000001B27D6DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: svchost.exe, 0000000D.00000002.769088311.00000295437E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`B
Source: svchost.exe, 0000000D.00000002.770670389.0000029544298000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: H=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000000D.00000002.768772440.0000029543790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{855E8A7C-ECB4-4CA3-B045-1DFA50104289}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.769868932.0000029543996000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAWen-USn
Source: svchost.exe, 0000000D.00000002.771086416.00000295489C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 34.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000000D.00000002.768772440.0000029543790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000003.00000002.766520789.00000196DDA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000005.00000002.678197048.000001EE1C45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.769702405.0000029543963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633643169.000001B27D6EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.677583393.000001EE16E29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}F
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{8B24B027-1DEE-BABB-9A95-3517DFB9C552}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 00000003.00000002.766922630.00000196DDA56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.766800905.0000014A1D429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000000D.00000002.771046675.0000029548960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000001D.00000003.619559873.000001B27D6B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633554534.000001B27D6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`zn}

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000D.00000002.768652843.0000029543754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000E.00000002.766881069.000001A8AFA40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.767038489.000001A8AFB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
116.202.10.123	unknown	Germany	24940	HETZNER-ASDE	true
203.157.152.9	unknown	Thailand	9649	MOPH-TH-APInformationTechnologyOfficeSG	true
91.93.3.85	unknown	Turkey	34984	TELLCOM-ASTR	true
172.96.190.154	unknown	Canada	59253	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG	true
109.99.146.210	unknown	Romania	9050	RTDBucharestRomaniaRO	true
190.107.118.125	unknown	Argentina	28015	MERCOCOMUNICACIONESAR	true
163.53.204.180	unknown	India	58898	RAINBOWISP-ASRainbowcommunicationsIndiaPvtLtdIN	true
157.245.145.87	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
190.55.186.229	unknown	Argentina	27747	TelecentroSAAR	true

Name	Malicious	Antivirus Detection	Reputation
https://157.245.145.87:443/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/	true	Avira URL Cloud: malware	unknown
https://163.53.204.180:443/8vl90912xxgd2/vzcu9no9/	true	Avira URL Cloud: malware	unknown

ID:	676610
Product:	CloudBasic
Start time:	13:41:07
Start date:	01.08.2022
Sample:	sample
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8d925c0da257436438893e6fe7ce2f4f
SHA1:	c0ff465eb0b6ccc0f3a36bb593ced7453736a750
SHA256:	16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	7B0A245903954CECA5936DC72D8030E4	B0B81C20EC1A98F1915A55F310A72C73FA4AE086	DA90BBE594CF5B31C1FBFA6E642EB02D20486922405DAD2F40B502003188E302
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x164c1cd1, page size 16384, Windows version 10.0	B79F46474F134B257B317A14DFFDBE8D	E7103E859D6A68AC103A5E052D110C80BEDE1F13	B7038E4598E8CB446466ADC2D2381D2364FEEBB5EDAF47935D9D6EBAB38132E3
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	8E906FFF47B27DE5D57F8FFF516F6583	B1CD8FEA1CEB20D4F6244E54C93EAE5E42007365	1AE46A910AED94C65DC9362146BC1FDBE03451E454F54175955FBD441A708D55
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e4cc34952fe878588783efe1b659fd6a7d99c_7cac0383_160a9aca\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	ADB64B3CF562AC409B88889C1D14F91F	B191E726F1628FD22B6DCB4DDAFFE2D6937EA9CE	FE4547533A841FFF1EF48A5FE31BD157FFB41D2E036C40D89AAEB3B8B098322C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER922F.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Aug 1 20:42:51 2022, 0x1205a4 type	59C6397F9B596DA322C709D5E2B2D358	7BD70BEFC82A3AF8A1F63A8431AA1909731535DE	E97253497CBF0F1B1AC5C26AEA3C46F34519E0020AE0B4742E9AF8E6D9622582
C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F54ABFD6BE208152184F9EE546D23FE4	299CAC7EF0419093327F8675F7AFB1972C0CE741	5788F82C978B41FDFA0599E468774A13349546F22505B356DE17B1714347A247
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9907.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CA8D8DE383C63D8EAB24BD9D26358D4E	9E064CE4ECF87F4A75FCE25079C372616B873922	1D42E5DAA949EA0CE3F93B3866903AAE27092FEF34530FFC48BDAAD2CF34A522
C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)	XML 1.0 document, ASCII text, with very long lines, with no line terminators	5C8A3C42100ED07F00D41FEB7B2FB7C1	6C0A54CBFD38682C43B586A861550EF33EF8A2E4	D687E70B8B92A11AD6884CA25EE81ED1190972431E83034C9A341772B650CD05
C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml	XML 1.0 document, ASCII text, with very long lines, with no line terminators	5C8A3C42100ED07F00D41FEB7B2FB7C1	6C0A54CBFD38682C43B586A861550EF33EF8A2E4	D687E70B8B92A11AD6884CA25EE81ED1190972431E83034C9A341772B650CD05
C:\Windows\Logs\waasmedic\waasmedic.20220801_204255_503.etl	data	2F01500A1F97DA475C9D6A3CF839CADE	C3E7F6855F64C80E18244B77251FF742B9B39FDB	B1F65AAAB7A8049FDEFB8CC3DDA1AECC3CEF07CF0FCB3BEE3542DD4922C22FE6
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	62DBF0D96F527459C7A2534BC9A1CCCE	FDD61B4F9350CB779383755A8EDC06168DCBD751	E723F6202290E542DD6E4CFAFCE876F62B5A08CBD1B1C604C6119D5DAC6B368F
C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	Extensible storage engine DataBase, version 0x620, checksum 0xec7260e4, page size 16384, DirtyShutdown, Windows version 10.0	525790A0DCE85983CE6669CA7A6843DA	7C48E757489E68E8F263C9864DEA992633C3BCC4	D921651C52B11FDD47CAD24F16E76A4F4753B783DCFA6A3CC78B3570E73A4963
C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	data	20D757F93C3CB57E582BB5231E4F7D83	03A681990EF30015146DF6C64578CD3BFF9FE9EA	353FB6A188ABB18CB0EDCE9CF5CB2A449E8EF02095746C22CD2FE0D43AEAA4C3
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	data	0F7B04BEC5B99CB1CAB8AE99C148E894	3589D9D82F2E712BA7964ACB9D0F86FFF11DBAAD	D03F104F97F648F753BD418917C3A7ABC7F95A4E941B86DA0D3B610E88A8A93D
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	data	2C618886A6A43C382344794EC017FF41	DE323B532511D1D373016576465BCABEB7EE6A71	91E3F7A25EC47145EA4F3DF4A8B7B3AFB4D678E2BC3CD55DE8B8F99411248B56
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP46AC.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP4D47.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP518F.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPC2D3.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPC93E.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPCBA4.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPCDF4.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPD46F.tmp	Microsoft Cabinet archive data, 6846 bytes, 1 file	9890A6F691B098E22BA772E942F0A04E	09B8BAF682591B5F446AB952A1D4E323A32B18FB	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab	Microsoft Cabinet archive data, 17061 bytes, 1 file	6ED850DB987B6E83CCF570E9FD7BCCB4	C94BE2AA726E8F3AB75D2B2CF1B2A8C22A567AEE	0083F4310682CCAC05DD6BF4C11FC337028A18317B0A27AB1505922A8B501C3E
C:\Windows\WindowsUpdate.log	ASCII text, with CRLF line terminators	2CC83D93DD1DDE691158CF5E9882420B	49BFDC6E1E73E09A0DEC345CA15B72D167ADD3B6	455EC4F5B15557762B893388B591CA9F3E822675AB94FC6664AA4EC8C41CB295

Windows Analysis Report sample

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
sample