Windows Analysis Report
CUfsVUDkr6

Overview

General Information

Sample Name: CUfsVUDkr6 (renamed file extension from none to dll)
Analysis ID: 669368
MD5: 543b633663f40468263782155c1e4cdc
SHA1: 0d7e681d49a1ed2a1539845925eac533c1d0dc7c
SHA256: aa0bfc40ca7a27bbc6491ba35ee5ac38eb5fbdf2a2d8a4ef9332d340c391ca87
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CUfsVUDkr6.dll Virustotal: Detection: 66% Perma Link
Antivirus / Scanner detection for submitted sample
Source: CUfsVUDkr6.dll Avira: detected
Machine Learning detection for sample
Source: CUfsVUDkr6.dll Joe Sandbox ML: detected
Source: 00000005.00000002.774143656.0000000002C11000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["160.135.187.2:6", "48.126.193.2:1", "224.130.193.2:1", "128.130.193.2:1", "136.206.195.2:153", "128.154.195.2:130", "176.130.193.2:1", "128.127.193.2:1", "8.109.194.2:2", "120.8.0.0:1", "56.8.0.0:1", "176.7.0.0:1", "172.7.0.0:1", "96.7.0.0:1", "200.7.0.0:1", "156.7.0.0:1", "240.7.0.0:1", "124.7.0.0:1", "140.7.0.0:1", "144.7.0.0:1", "60.7.0.0:1", "128.7.0.0:1", "224.7.0.0:1", "160.7.0.0:1", "228.7.0.0:1", "244.7.0.0:1", "4.8.0.0:1", "8.8.0.0:1", "72.7.0.0:1", "76.7.0.0:1", "44.7.0.0:1"]}
Uses 32bit PE files
Source: CUfsVUDkr6.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_1002592C

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 70.36.102.35 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 92.240.254.110 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49763 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49765 -> 119.193.124.41:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.135.187.2:6
Source: Malware configuration extractor IPs: 48.126.193.2:1
Source: Malware configuration extractor IPs: 224.130.193.2:1
Source: Malware configuration extractor IPs: 128.130.193.2:1
Source: Malware configuration extractor IPs: 136.206.195.2:153
Source: Malware configuration extractor IPs: 128.154.195.2:130
Source: Malware configuration extractor IPs: 176.130.193.2:1
Source: Malware configuration extractor IPs: 128.127.193.2:1
Source: Malware configuration extractor IPs: 8.109.194.2:2
Source: Malware configuration extractor IPs: 120.8.0.0:1
Source: Malware configuration extractor IPs: 56.8.0.0:1
Source: Malware configuration extractor IPs: 176.7.0.0:1
Source: Malware configuration extractor IPs: 172.7.0.0:1
Source: Malware configuration extractor IPs: 96.7.0.0:1
Source: Malware configuration extractor IPs: 200.7.0.0:1
Source: Malware configuration extractor IPs: 156.7.0.0:1
Source: Malware configuration extractor IPs: 240.7.0.0:1
Source: Malware configuration extractor IPs: 124.7.0.0:1
Source: Malware configuration extractor IPs: 140.7.0.0:1
Source: Malware configuration extractor IPs: 144.7.0.0:1
Source: Malware configuration extractor IPs: 60.7.0.0:1
Source: Malware configuration extractor IPs: 128.7.0.0:1
Source: Malware configuration extractor IPs: 224.7.0.0:1
Source: Malware configuration extractor IPs: 160.7.0.0:1
Source: Malware configuration extractor IPs: 228.7.0.0:1
Source: Malware configuration extractor IPs: 244.7.0.0:1
Source: Malware configuration extractor IPs: 4.8.0.0:1
Source: Malware configuration extractor IPs: 8.8.0.0:1
Source: Malware configuration extractor IPs: 72.7.0.0:1
Source: Malware configuration extractor IPs: 76.7.0.0:1
Source: Malware configuration extractor IPs: 44.7.0.0:1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.182.25.250 217.182.25.250
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 92.240.254.110:8080
Source: global traffic TCP traffic: 192.168.2.3:49763 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.3:49764 -> 217.182.25.250:8080
Source: global traffic TCP traffic: 192.168.2.3:49765 -> 119.193.124.41:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 13
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.377421703.0000023CC0381000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000016.00000003.377421703.0000023CC0381000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.377403125.0000023CC0370000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000005.00000003.359199752.0000000004F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root
Source: svchost.exe, 00000013.00000002.676785569.000002799FC89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419911241.0000023CC030D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.409528821.0000023CC030C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.775589438.000001BF01500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.676785569.000002799FC89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419799470.0000023CBFAE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000003.358463256.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?146a99b97d002
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
Source: svchost.exe, 00000013.00000002.676470792.000002799A4B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.675741527.000002799A4AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.774092172.00000175ABA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.773932282.00000175ABA29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.773932282.00000175ABA29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.318795830.000002516B442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318477372.000002516B441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.318836178.000002516B45C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318434954.000002516B45A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.318375087.000002516B461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.318770388.000002516B43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318685600.000002516B413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318472678.000002516B456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.318450731.000002516B440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.296644835.000002516B432000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.318720352.000002516B43B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.318818550.000002516B44D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.318337851.000002516B449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000016.00000003.394883729.0000023CC03AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.394786236.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000016.00000003.389730375.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389593585.0000023CC03AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389883804.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389629399.0000023CC0389000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389660788.0000023CC03B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389642184.0000023CC039A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389783418.0000023CC0802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.389683950.0000023CC081A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000016.00000003.398796153.0000023CC038D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.398927241.0000023CC0818000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 2_2_10032A2D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003437E GetKeyState,GetKeyState,GetKeyState, 2_2_1003437E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 2_2_1002FE1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 3_2_10032A2D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003437E GetKeyState,GetKeyState,GetKeyState, 3_2_1003437E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 3_2_1002FE1B

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.4ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4790000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.46c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: CUfsVUDkr6.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Ofpagmb\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001409B 2_2_1001409B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023973 2_2_10023973
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10010A0C 2_2_10010A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000DB7F 2_2_1000DB7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001409B 3_2_1001409B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023973 3_2_10023973
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DB7F 3_2_1000DB7F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10011BF0 appears 111 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10012514 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10011BF0 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10012514 appears 39 times
PE file contains strange resources
Source: CUfsVUDkr6.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUfsVUDkr6.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: CUfsVUDkr6.dll Virustotal: Detection: 66%
Source: CUfsVUDkr6.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CUfsVUDkr6.dll,DllUnregisterServerr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@28/8@0/38
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10006120 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z, 2_2_10006120
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: CUfsVUDkr6.dll Static PE information: section name: RT_CURSOR
Source: CUfsVUDkr6.dll Static PE information: section name: RT_BITMAP
Source: CUfsVUDkr6.dll Static PE information: section name: RT_ICON
Source: CUfsVUDkr6.dll Static PE information: section name: RT_MENU
Source: CUfsVUDkr6.dll Static PE information: section name: RT_DIALOG
Source: CUfsVUDkr6.dll Static PE information: section name: RT_STRING
Source: CUfsVUDkr6.dll Static PE information: section name: RT_ACCELERATOR
Source: CUfsVUDkr6.dll Static PE information: section name: RT_GROUP_ICON
Source: CUfsVUDkr6.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CUfsVUDkr6.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CUfsVUDkr6.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CUfsVUDkr6.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CUfsVUDkr6.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10010B20 push eax; ret 2_2_10010B34
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10010B20 push eax; ret 2_2_10010B5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011BF0 push eax; ret 2_2_10011C0E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001254F push ecx; ret 2_2_1001255F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010B20 push eax; ret 3_2_10010B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010B20 push eax; ret 3_2_10010B5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011BF0 push eax; ret 3_2_10011C0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001254F push ecx; ret 3_2_1001255F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress, 2_2_10025CEC
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CUfsVUDkr6.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Ofpagmb\vfvyklscua.sam:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bybhadxaxdq\chsskqcjil.mpx:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mljnrgyarrslr\zmqsujpnwal.uxz:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10007AE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10007AE5
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6028 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6028 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3812 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3768 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 2.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.1 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10010839 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 2_2_10010839
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_1002592C
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000016.00000002.419834806.0000023CBFAF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $@Hyper-V RAW
Source: svchost.exe, 0000001C.00000002.776500854.000001BF01C54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000013.00000002.676744521.000002799FC64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAWGlobal\BFE_Notify_Event_{41bbeee1-a916-4bfe-82e5-0142a5910b49}LMEM
Source: svchost.exe, 0000001C.00000002.776500854.000001BF01C54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware7,1
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 0000000A.00000002.773531585.000001ABFFE02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000013.00000002.676724746.000002799FC57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.676148634.000002799A424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419799470.0000023CBFAE8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.419688769.0000023CBFA8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.774780396.000001BF00CC5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.774250367.000001BF00C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001C.00000002.776424184.000001BF01C0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 0000000A.00000002.773797062.000001ABFFE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.774248414.00000175ABA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.773860880.00000262CDA2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress, 2_2_10025CEC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10005260 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy, 2_2_10005260
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 70.36.102.35 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 92.240.254.110 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CUfsVUDkr6.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10001090
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 2_2_100348C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1001A444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10001090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 3_2_100348C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1001A444
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011075 GetSystemTimeAsFileTime,__aulldiv, 2_2_10011075
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018E14 __lock,_strlen,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 2_2_10018E14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001100 GetVersionExA,InterlockedExchange, 2_2_10001100

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000001C.00000002.776298072.000001BF015F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000010.00000002.773716695.00000161FCE3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.774051870.00000161FCF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.4ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4790000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.46c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.774599292.00000000046C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.261732368.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.258847425.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.259038196.0000000004CE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.774512688.0000000004690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.261764431.0000000004791000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.258613972.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.258886140.00000000043A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669368 Sample: CUfsVUDkr6 Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 37 160.7.0.0 WEST-NET-WESTUS United States 2->37 39 156.7.0.0 VODACOM-ZA United States 2->39 41 29 other IPs or domains 2->41 55 Snort IDS alert for network traffic 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 3 other signatures 2->61 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 signatures3 process4 dnsIp5 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 2 8->23         started        25 rundll32.exe 8->25         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 10->63 27 MpCmdRun.exe 1 10->27         started        65 Query firmware table information (likely to detect VMs) 13->65 49 127.0.0.1 unknown unknown 15->49 51 192.168.2.1 unknown unknown 15->51 signatures6 process7 signatures8 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 29 regsvr32.exe 18->29         started        33 rundll32.exe 2 21->33         started        35 conhost.exe 27->35         started        process9 dnsIp10 43 70.36.102.35, 443, 49744, 49745 PERFECT-INTERNATIONALUS United States 29->43 45 217.182.25.250, 49764, 8080 OVHFR France 29->45 47 3 other IPs or domains 29->47 67 System process connects to network (likely due to code injection or exploit) 29->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->69 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.182.25.250
 unknown France
16276 OVHFR true
8.8.0.0
 unknown United States
3356 LEVEL3US true
60.7.0.0
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true
70.36.102.35
 unknown United States
22439 PERFECT-INTERNATIONALUS true
244.7.0.0
 unknown Reserved
unknown unknown true
144.7.0.0
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
128.7.0.0
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese true
176.130.193.2
 unknown France
5410 BOUYGTEL-ISPFR true
44.7.0.0
 unknown United States
7377 UCSDUS true
48.126.193.2
 unknown United States
2686 ATGS-MMD-ASUS true
128.130.193.2
 unknown Austria
679 TUNET-ASTechnischeUniversitaetWienAT true
172.7.0.0
 unknown United States
7018 ATT-INTERNET4US true
228.7.0.0
 unknown Reserved
unknown unknown true
120.8.0.0
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true
160.135.187.2
 unknown United States
747 DNIC-AS-00747US true
240.7.0.0
 unknown Reserved
unknown unknown true
136.206.195.2
 unknown Ireland
1213 HEANETIE true
72.7.0.0
 unknown United States
10507 SPCSUS true
76.7.0.0
 unknown United States
22186 CENTURYLINK-LEGACY-EMBARQ-KSGRNRUS true
200.7.0.0
 unknown Brazil
262657 DENDENAECIALTDAMEBR true
96.7.0.0
 unknown United States
262589 INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR true
140.7.0.0
 unknown United States
668 DNIC-AS-00668US true
160.7.0.0
 unknown United States
210 WEST-NET-WESTUS true
224.130.193.2
 unknown Reserved
unknown unknown true
51.91.76.89
 unknown France
16276 OVHFR true
4.8.0.0
 unknown United States
3356 LEVEL3US true
124.7.0.0
 unknown India
4662 QTCN-ASN1GCNetReachRangeIncTW true
128.127.193.2
 unknown Saudi Arabia
35753 ITCITCASnumberSA true
56.8.0.0
 unknown United States
2686 ATGS-MMD-ASUS true
176.7.0.0
 unknown Germany
12638 AS12638DuesseldorfDE true
224.7.0.0
 unknown Reserved
unknown unknown true
119.193.124.41
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
128.154.195.2
 unknown United States
1749 AS1749US true
8.109.194.2
 unknown United States
3356 LEVEL3US true
156.7.0.0
 unknown United States
29975 VODACOM-ZA true
92.240.254.110
 unknown Slovakia (SLOVAK Republic)
42005 LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSK true

Private

IP
192.168.2.1
127.0.0.1