Malware analysis Emulator-R2R.rar Malicious activity | ANY.RUN

Add for printing

File name:	Emulator-R2R.rar
Full analysis:	https://app.any.run/tasks/d21b8b6e-3a0c-4568-9b68-de7bc0f05101
Verdict:	Malicious activity
Analysis date:	December 14, 2025, 21:10:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc inno installer delphi
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	9B1678376FA840A0F0E4AE735C224605
SHA1:	78EE4A50E5C858C50ABA62F50E046C8975FBD9A8
SHA256:	E2FFC3751602BF32032D36C7F93753E2BE1E37A498551A60062BF6BDCAC6534C
SSDEEP:	98304:y0sukgDZXTKbXS4LGwFe71oJA7qGRplv9iU+j9AjHOulFxvugZhwrJwquuT+uruA:Fbq1CPwDvt3uFGCC0fk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 7384)
- Executing a file with an untrusted certificate
  - DVREMU2MAN.exe (PID: 7304)
  - DVREMU2MAN.exe (PID: 3436)
  - DVREMU2MAN.exe (PID: 4660)
  - DVREMU2MAN.exe (PID: 7500)
  - DVREMU2MAN.exe (PID: 7804)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - DVREMU2MAN.exe (PID: 3436)
- Executable content was dropped or overwritten
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7824)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Reads the Windows owner or organization settings
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- There is functionality for taking screenshot (YARA)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Start notepad (likely ransomware note)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Reads the date of Windows installation
  - DVREMU2MAN.exe (PID: 3436)
- Starts CMD.EXE for commands execution
  - explorer.exe (PID: 7536)
- Creates file in the systems drive root
  - explorer.exe (PID: 7536)
- Executing commands from ".cmd" file
  - explorer.exe (PID: 7536)
INFO
- Manual execution by a user
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
  - DVREMU2MAN.exe (PID: 7304)
  - DVREMU2MAN.exe (PID: 3436)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7384)
- Reads the computer name
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - TextInputHost.exe (PID: 7268)
  - DVREMU2MAN.exe (PID: 3436)
  - DVREMU2MAN.exe (PID: 4660)
- Creates a software uninstall entry
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Create files in a temporary directory
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7824)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Checks supported languages
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7824)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - TextInputHost.exe (PID: 7268)
  - DVREMU2MAN.exe (PID: 3436)
  - DVREMU2MAN.exe (PID: 4660)
- Process checks computer location settings
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - DVREMU2MAN.exe (PID: 3436)
- The sample compiled with english language support
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Creates files in the program directory
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 8148)
  - explorer.exe (PID: 7536)
- Detects InnoSetup installer (YARA)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7824)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
- Compiled with Borland Delphi (YARA)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7724)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7744)
  - Setup DVREMU2 Manager v1.0.0.tmp (PID: 7848)
  - Setup DVREMU2 Manager v1.0.0.exe (PID: 7824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	8286995
UncompressedSize:	8286995
OperatingSystem:	Win32
ArchivedFileName:	Setup DVREMU2 Manager v1.0.0.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

160

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

148

"C:\Windows\explorer.exe" C:\Program Files\TEAM R2R\DVREMU2 Manager\commands\

C:\Windows\explorer.exe

—

DVREMU2MAN.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

3436

"C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe"

C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe

explorer.exe

User:

admin

Company:

TEAM R2R

Integrity Level:

HIGH

Description:

DVREMU2 Manager

Exit code:

Version:

1.0.0.1

Modules

Images
c:\program files\team r2r\dvremu2 manager\dvremu2man.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4660

"C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe" install

C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe

cmd.exe

User:

admin

Company:

TEAM R2R

Integrity Level:

HIGH

Description:

DVREMU2 Manager

Exit code:

Version:

1.0.0.1

Modules

Images
c:\program files\team r2r\dvremu2 manager\dvremu2man.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\program files\team r2r\dvremu2 manager\libbz2.dll

7268

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

7304

"C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe"

C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe

—

explorer.exe

User:

admin

Company:

TEAM R2R

Integrity Level:

MEDIUM

Description:

DVREMU2 Manager

Exit code:

3221226540

Version:

1.0.0.1

Modules

Images
c:\program files\team r2r\dvremu2 manager\dvremu2man.exe
c:\windows\system32\ntdll.dll

7384

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Emulator-R2R.rar

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7500

..\\DVREMU2MAN install

C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe

—

cmd.exe

User:

admin

Company:

TEAM R2R

Integrity Level:

MEDIUM

Description:

DVREMU2 Manager

Exit code:

3221226540

Version:

1.0.0.1

Modules

Images
c:\program files\team r2r\dvremu2 manager\dvremu2man.exe
c:\windows\system32\ntdll.dll

7536

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

7672

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7684

C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\TEAM R2R\DVREMU2 Manager\commands\DVREMU2 - Install Emulator.cmd" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

11 074

Read events

10 983

Write events

Delete events

Modification events


(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Emulator-R2R.rar
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(7384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7384	WinRAR.exe	C:\Users\admin\Desktop\Emulator-R2R\Setup DVREMU2 Manager v1.0.0.exe		executable
		MD5:712694288F0A36EFEAD1B9BA8B4C0AB0	SHA256:8D31D34083335DC0CC3C76BD5F418846E8F4DAAD5A437CEFD8E47DF332401B08
7384	WinRAR.exe	C:\Users\admin\Desktop\Emulator-R2R\R2R.txt		text
		MD5:A2ADBEFC72AE91451926424CE7A1105D	SHA256:8E06520969D5A5D747FFC74EA63B270744FC9CF22E90DFE918A797800FC4BD1E
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Program Files\TEAM R2R\DVREMU2 Manager\unins000.exe		executable
		MD5:908F64B344BCE85C344E88DB0C4C334F	SHA256:6BDC1C8F0A1BD5951E94F575E6B693D0150D25F3B62BC7314567B2C4C3A8F009
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Users\admin\AppData\Local\Temp\is-QTKF1.tmp\R2RINNO.dll		executable
		MD5:5DF8ADA84A16F5DFC24096EF90A5CE3A	SHA256:48A9C8C332FDE541B571D9D522D0E37834B452F55AF8CBDC341B12222E78FB5B
7824	Setup DVREMU2 Manager v1.0.0.exe	C:\Users\admin\AppData\Local\Temp\is-BG6L0.tmp\Setup DVREMU2 Manager v1.0.0.tmp		executable
		MD5:34ACC2BDB45A9C436181426828C4CB49	SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
7724	Setup DVREMU2 Manager v1.0.0.exe	C:\Users\admin\AppData\Local\Temp\is-MGBUQ.tmp\Setup DVREMU2 Manager v1.0.0.tmp		executable
		MD5:34ACC2BDB45A9C436181426828C4CB49	SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Users\admin\AppData\Local\Temp\is-QTKF1.tmp\SKIN.CJSTYLES		executable
		MD5:5F87CAF3F7CF63DDE8E6AF53BDF31289	SHA256:4731982B02B067D3F5A5A7518279A9265A49FB0F7B3F8DC3D61B82A5359D4940
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe		executable
		MD5:2A052D9B7BDD115E24B7BC4B8475EDCE	SHA256:2083BEB78B4CEBA4A8FE819ED2307B4C0A22622F32CAEA60FCEA7DE0BCBD76B8
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Program Files\TEAM R2R\DVREMU2 Manager\is-C5IVH.tmp		executable
		MD5:908F64B344BCE85C344E88DB0C4C334F	SHA256:6BDC1C8F0A1BD5951E94F575E6B693D0150D25F3B62BC7314567B2C4C3A8F009
7848	Setup DVREMU2 Manager v1.0.0.tmp	C:\Program Files\TEAM R2R\DVREMU2 Manager\libcrypto-3-x64.dll		executable
		MD5:E7463D58D7AFF43C7D71A3847BA8201E	SHA256:2249476A14DEA73AE271D661483BDC6C15E45B931F8DBFD0BD1B84193CF420EA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
1412	SIHClient.exe	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	whitelisted
1412	SIHClient.exe	GET	200	74.178.76.128:443	https://slscr.update.microsoft.com/sls/ping	US	—	—	whitelisted
4968	svchost.exe	GET	200	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	binary	5.48 Kb	whitelisted
1412	SIHClient.exe	GET	304	74.178.76.128:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
4968	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4968	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
4968	svchost.exe	GET	200	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	binary	1.43 Kb	whitelisted
2572	svchost.exe	POST	200	20.190.159.64:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4404	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4968	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4968	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4968	svchost.exe	23.55.110.211:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4968	svchost.exe	2.23.246.101:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
2572	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2572	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.251.141.78	whitelisted
crl.microsoft.com	23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	2.23.246.101 88.221.169.152	whitelisted
login.live.com	20.190.159.64 20.190.159.71 20.190.159.129 20.190.159.2 40.126.31.71 20.190.159.131 40.126.31.67 20.190.159.130	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
www.bing.com	2.16.241.218 2.16.241.201 2.16.241.205	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

Emulator-R2R.rar

9B1678376FA840A0F0E4AE735C224605

78EE4A50E5C858C50ABA62F50E046C8975FBD9A8

E2FFC3751602BF32032D36C7F93753E2BE1E37A498551A60062BF6BDCAC6534C

98304:y0sukgDZXTKbXS4LGwFe71oJA7qGRplv9iU+j9AjHOulFxvugZhwrJwquuT+uruA:Fbq1CPwDvt3uFGCC0fk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Executing a file with an untrusted certificate

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

There is functionality for taking screenshot (YARA)

Start notepad (likely ransomware note)

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Creates file in the systems drive root

Executing commands from ".cmd" file

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads the computer name

Creates a software uninstall entry

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

The sample compiled with english language support

Creates files in the program directory

Reads security settings of Internet Explorer

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings