Windows Analysis Report
uVPWqAOMKn

Overview

General Information

Sample Name: uVPWqAOMKn (renamed file extension from none to dll)
Analysis ID: 669371
MD5: 2e7cff2320794cef37a5a3ac700a11d1
SHA1: 47c3259798a247f00e22f9c2e8e5f6ee7a41ce98
SHA256: cc257f8c204386f746f457e57c91ab2c93f1d44181fd161eb3a16844700fcd37
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: uVPWqAOMKn.dll Virustotal: Detection: 68% Perma Link
Source: uVPWqAOMKn.dll ReversingLabs: Detection: 75%
Antivirus / Scanner detection for submitted sample
Source: uVPWqAOMKn.dll Avira: detected
Antivirus detection for URL or domain
Source: https://189.232.46.161/ Avira URL Cloud: Label: malware
Source: https://189.232.46.161/oDKcMsHRRxcdTZdqBLENpsfwBpdNwUtCDsdjXOHPdhyxmepd Avira URL Cloud: Label: malware
Source: https://216.120.236.62:8080/AriEwZcvJsYjzutuViEY9 Avira URL Cloud: Label: malware
Source: https://51.91.76.89/4R Avira URL Cloud: Label: malware
Source: https://51.91.76.89:8080/SErPxnMnZMWCWtStc Avira URL Cloud: Label: malware
Source: https://189.232.46.161/oDKcMsHRRxcdTZdqBLENpsfwBpdNwUtCDsdjXOHPdhyxmepdV Avira URL Cloud: Label: malware
Source: https://216.120.236.62/o Avira URL Cloud: Label: malware
Source: https://216.120.236.62/ URL Reputation: Label: malware
Source: https://51.91.76.89/ Avira URL Cloud: Label: malware
Source: https://189.232.46.161/=R Avira URL Cloud: Label: malware
Source: https://216.120.236.62:8080/AriEwZcvJsYjzutuViEY Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://189.232.46.161/ Virustotal: Detection: 13% Perma Link
Machine Learning detection for sample
Source: uVPWqAOMKn.dll Joe Sandbox ML: detected
Source: 00000007.00000002.895293868.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["45.142.114.231:8080", "209.250.246.206:443", "1.234.21.73:7080", "134.122.66.193:8080", "176.56.128.118:443", "195.154.133.20:443", "167.99.115.35:8080", "189.126.111.200:7080", "176.104.106.96:8080", "110.232.117.186:8080", "1.234.2.232:8080", "50.30.40.196:8080", "159.65.88.10:8080", "45.176.232.124:443", "45.118.115.99:8080", "206.188.212.92:8080", "146.59.226.45:443", "46.55.222.11:443", "185.157.82.211:8080", "129.232.188.93:443", "201.94.166.162:443", "51.254.140.238:7080", "31.24.158.56:8080", "178.79.147.66:8080", "203.114.109.124:443", "216.158.226.206:443", "151.106.112.196:8080", "167.172.253.162:8080", "45.118.135.203:7080", "196.218.30.83:443", "107.182.225.142:8080", "101.50.0.91:8080", "79.172.212.216:8080", "209.126.98.206:8080", "51.91.7.5:8080", "72.15.201.15:8080", "173.212.193.249:8080", "82.165.152.127:8080", "103.43.46.182:443"]}
Uses 32bit PE files
Source: uVPWqAOMKn.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10027BC4 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_10027BC4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10027BC4 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 3_2_10027BC4

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 189.232.46.161 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 216.120.236.62 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49829 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.6:49839 -> 119.193.124.41:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 209.250.246.206:443
Source: Malware configuration extractor IPs: 1.234.21.73:7080
Source: Malware configuration extractor IPs: 134.122.66.193:8080
Source: Malware configuration extractor IPs: 176.56.128.118:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 167.99.115.35:8080
Source: Malware configuration extractor IPs: 189.126.111.200:7080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 50.30.40.196:8080
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 206.188.212.92:8080
Source: Malware configuration extractor IPs: 146.59.226.45:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 51.254.140.238:7080
Source: Malware configuration extractor IPs: 31.24.158.56:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 151.106.112.196:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 196.218.30.83:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 101.50.0.91:8080
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 209.126.98.206:8080
Source: Malware configuration extractor IPs: 51.91.7.5:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 82.165.152.127:8080
Source: Malware configuration extractor IPs: 103.43.46.182:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.182.25.250 217.182.25.250
Source: Joe Sandbox View IP Address: 159.65.88.10 159.65.88.10
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49778 -> 216.120.236.62:8080
Source: global traffic TCP traffic: 192.168.2.6:49829 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.6:49837 -> 217.182.25.250:8080
Source: global traffic TCP traffic: 192.168.2.6:49839 -> 119.193.124.41:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 23
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: svchost.exe, 00000017.00000003.562410175.0000022230165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.562410175.0000022230165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000017.00000003.562563670.0000022230175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.562563670.0000022230175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.562563670.0000022230175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.562563670.0000022230175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.twitter.com (Twitter)
Source: svchost.exe, 00000002.00000002.896439652.0000029312C65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594200859.000000000103D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895527777.000000000103D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.613293486.0000022230100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000002.00000002.896257359.0000029312C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000007.00000003.590410243.0000000001093000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895607470.0000000001094000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.590332405.0000000001070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupda
Source: regsvr32.exe, 00000007.00000003.589696495.0000000005137000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.590428493.000000000510F000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.590724690.0000000005131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000007.00000003.594200859.000000000103D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895527777.000000000103D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.590410243.0000000001093000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895607470.0000000001094000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.590332405.0000000001070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrD$
Source: regsvr32.exe, 00000007.00000003.594200859.000000000103D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895527777.000000000103D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000003.589682212.000000000514B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dcce73b6ba9cc
Source: svchost.exe, 00000017.00000003.588806879.0000022230180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.585558704.000002223019E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000007.00000002.895488066.0000000001034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41/
Source: regsvr32.exe, 00000007.00000003.594113245.0000000001034000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895488066.0000000001034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/VpoQHFAbXxwVXMvalFtvpYGPvlzHFATxmfdXXXqPyAmJeXjvroVHBlPfYCuMPkB
Source: regsvr32.exe, 00000007.00000002.895488066.0000000001034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/VpoQHFAbXxwVXMvalFtvpYGPvlzHFATxmfdXXXqPyAmJeXjvroVHBlPfYCuMPkB&
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/VpoQHFAbXxwVXMvalFtvpYGPvlzHFATxmfdXXXqPyAmJeXjvroVHBlPfYCuMPkBo
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://189.232.46.161/
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://189.232.46.161/=R
Source: regsvr32.exe, 00000007.00000002.895293868.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://189.232.46.161/oDKcMsHRRxcdTZdqBLENpsfwBpdNwUtCDsdjXOHPdhyxmepd
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://189.232.46.161/oDKcMsHRRxcdTZdqBLENpsfwBpdNwUtCDsdjXOHPdhyxmepdV
Source: regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://216.120.236.62/
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://216.120.236.62/o
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://216.120.236.62:8080/AriEwZcvJsYjzutuViEY
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://216.120.236.62:8080/AriEwZcvJsYjzutuViEY9
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584335315.0000000001035000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250/
Source: regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250/1.76.89:8080/pdNwUtCDsdjXOHPdhyxmepd
Source: regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250/eVlDdCnzQYZNllXagZhyDivNlMzaFBSuCmbSampUWW
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250:8080/BsbzREwLaKqFTTaeHjvPeVlDdCnzQYZNllXagZhyDivNlMzaFBSuCmbSampUWW
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250:8080/BsbzREwLaKqFTTaeHjvPeVlDdCnzQYZNllXagZhyDivNlMzaFBSuCmbSampUWW2
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89/
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89/4R
Source: regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895217070.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:8080/SErPxnMnZMWCWtStc
Source: regsvr32.exe, 00000007.00000003.584344214.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:80:8080/
Source: svchost.exe, 00000017.00000003.588806879.0000022230180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.585558704.000002223019E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: regsvr32.exe, 00000007.00000003.590410243.0000000001093000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895607470.0000000001094000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.590332405.0000000001070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sldl.windowsupdate.com/
Source: svchost.exe, 00000017.00000003.580472643.00000222301AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580521789.0000022230602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580451647.000002223019C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000017.00000003.588806879.0000022230180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.585558704.000002223019E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.588806879.0000022230180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.585558704.000002223019E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.580472643.00000222301AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580521789.0000022230602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580451647.000002223019C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000017.00000003.580472643.00000222301AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580521789.0000022230602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.580451647.000002223019C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000017.00000003.589531614.00000222301BC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.589590666.00000222301A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.589562765.00000222301BC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.589653116.0000022230602000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Potential key logger detected (key state polling based)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100201BC SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW, 0_2_100201BC

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 3.2.regsvr32.exe.4be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4c10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.10e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3010000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.895080994.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.417225831.0000000004171000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.895666203.00000000010E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.417170755.0000000004140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.398365713.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418860992.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.398389005.0000000004C11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.396892983.0000000004AA1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.404579825.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418887391.0000000000551000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.410822400.0000000003011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.396801505.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: uVPWqAOMKn.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Elutq\fjqpvuhrz.fqb:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\loaddll32.exe File created: C:\Windows\SysWOW64\Vdlpleqgmbid\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000402A 0_2_1000402A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100100E1 0_2_100100E1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10045B87 0_2_10045B87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003ECAF 0_2_1003ECAF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000402A 3_2_1000402A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100100E1 3_2_100100E1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10045B87 3_2_10045B87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003ECAF 3_2_1003ECAF
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 10040330 appears 42 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 1003E2C1 appears 67 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10040330 appears 39 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1003E2C1 appears 63 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: uVPWqAOMKn.dll Virustotal: Detection: 68%
Source: uVPWqAOMKn.dll ReversingLabs: Detection: 75%
Source: uVPWqAOMKn.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\uVPWqAOMKn.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uVPWqAOMKn.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uVPWqAOMKn.dll,DllUnregisterServerrrrrrrrrrr
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Elutq\fjqpvuhrz.fqb"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\uVPWqAOMKn.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uVPWqAOMKn.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uVPWqAOMKn.dll,DllUnregisterServerrrrrrrrrrr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Elutq\fjqpvuhrz.fqb" Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@19/4@0/46
Source: C:\Windows\System32\loaddll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100055AE FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf, 0_2_100055AE
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: uVPWqAOMKn.dll Static PE information: section name: RT_CURSOR
Source: uVPWqAOMKn.dll Static PE information: section name: RT_BITMAP
Source: uVPWqAOMKn.dll Static PE information: section name: RT_ICON
Source: uVPWqAOMKn.dll Static PE information: section name: RT_MENU
Source: uVPWqAOMKn.dll Static PE information: section name: RT_DIALOG
Source: uVPWqAOMKn.dll Static PE information: section name: RT_STRING
Source: uVPWqAOMKn.dll Static PE information: section name: RT_ACCELERATOR
Source: uVPWqAOMKn.dll Static PE information: section name: RT_GROUP_ICON
Source: uVPWqAOMKn.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uVPWqAOMKn.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uVPWqAOMKn.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uVPWqAOMKn.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uVPWqAOMKn.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10040375 push ecx; ret 0_2_10040388
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003E399 push ecx; ret 0_2_1003E3AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10040375 push ecx; ret 3_2_10040388
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003E399 push ecx; ret 3_2_1003E3AC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1004D45C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1004D45C
PE file contains an invalid checksum
Source: uVPWqAOMKn.dll Static PE information: real checksum: 0xb0279 should be: 0xa7c98
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\uVPWqAOMKn.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Elutq\fjqpvuhrz.fqb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\Vdlpleqgmbid\thsbtvqnbmk.qpm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Elutq\fjqpvuhrz.fqb:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Yqnybwmpxxvi\rbkhlu.jlu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bazvgecbzbhcygj\lmduwghpark.ygy:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B0F3 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_1000B0F3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001954B GetParent,GetParent,IsIconic,GetParent, 0_2_1001954B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100209B3 IsWindowVisible,IsIconic, 0_2_100209B3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000B0F3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000B0F3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001954B GetParent,GetParent,IsIconic,GetParent, 3_2_1001954B
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6936 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5656 Thread sleep time: -60000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\System32\loaddll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 4.0 %
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10027BC4 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_10027BC4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10027BC4 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 3_2_10027BC4
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000002.00000002.895343613.000002930D629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@`
Source: regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000002.00000002.896439652.0000029312C65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.896415294.0000029312C58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.579287319.0000000001006000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.895366348.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.594049679.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584392382.0000000001006000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.612607896.000002222F613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.612847393.000002222F688000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.612994652.000002222F6ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.895079494.0000021B56402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000D.00000002.895179276.0000021B56428000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D41D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1003D41D
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1004D45C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1004D45C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000402A GetNativeSystemInfo,GetProcessHeap,HeapAlloc,VirtualFree,memcpy, 0_2_1000402A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10049321 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_10049321
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D41D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1003D41D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10042CE4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10042CE4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10049321 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10049321
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003D41D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1003D41D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10042CE4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10042CE4

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 189.232.46.161 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 216.120.236.62 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uVPWqAOMKn.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 0_2_10006280
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_1004F3C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 3_2_10006280
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 3_2_1004F3C7
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10045444 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_10045444
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1004A3B4 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_1004A3B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000E466 _memset,GetVersionExW, 0_2_1000E466

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 3.2.regsvr32.exe.4be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4c10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.10e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3010000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.895080994.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.417225831.0000000004171000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.895666203.00000000010E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.417170755.0000000004140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.398365713.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418860992.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.398389005.0000000004C11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.396892983.0000000004AA1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.404579825.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418887391.0000000000551000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.410822400.0000000003011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.396801505.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669371 Sample: uVPWqAOMKn Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->35 37 37 other IPs or domains 2->37 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 5 other signatures 2->55 8 loaddll32.exe 3 2->8         started        11 svchost.exe 9 1 2->11         started        14 svchost.exe 2->14         started        16 4 other processes 2->16 signatures3 process4 dnsIp5 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->57 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 2 8->23         started        25 rundll32.exe 8->25         started        39 127.0.0.1 unknown unknown 11->39 signatures6 process7 signatures8 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->47 27 regsvr32.exe 18->27         started        31 rundll32.exe 2 21->31         started        process9 dnsIp10 41 189.232.46.161, 443, 49791 UninetSAdeCVMX Mexico 27->41 43 217.182.25.250, 49837, 8080 OVHFR France 27->43 45 4 other IPs or domains 27->45 59 System process connects to network (likely due to code injection or exploit) 27->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->61 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.182.25.250
 unknown France
16276 OVHFR true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
101.50.0.91
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
103.43.46.182
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
151.106.112.196
 unknown Germany
61157 PLUSSERVER-ASN1DE true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
51.254.140.238
 unknown France
16276 OVHFR true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
206.188.212.92
 unknown United States
55002 DEFENSE-NETUS true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
51.91.7.5
 unknown France
16276 OVHFR true
209.126.98.206
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
189.232.46.161
 unknown Mexico
8151 UninetSAdeCVMX true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
209.250.246.206
 unknown European Union
20473 AS-CHOOPAUS true
1.234.21.73
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
82.165.152.127
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
176.56.128.118
 unknown Switzerland
12637 SEEWEBWebhostingcolocationandcloudservicesIT true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
134.122.66.193
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.99.115.35
 unknown United States
14061 DIGITALOCEAN-ASNUS true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
173.212.193.249
 unknown Germany
51167 CONTABODE true
51.91.76.89
 unknown France
16276 OVHFR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
31.24.158.56
 unknown Spain
50926 INFORTELECOM-ASES true
50.30.40.196
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
189.126.111.200
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
119.193.124.41
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
146.59.226.45
 unknown Norway
16276 OVHFR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
196.218.30.83
 unknown Egypt
8452 TE-ASTE-ASEG true
216.120.236.62
 unknown United States
23535 HOSTROCKETUS true

Private

IP
192.168.2.1
127.0.0.1