Loading ...

Play interactive tourEdit tour

Windows Analysis Report YBfn5E3Dlw

Overview

General Information

Sample Name:YBfn5E3Dlw (renamed file extension from none to dll)
Analysis ID:553389
MD5:038f9a9d5b96733a9b3030cfbe4e4535
SHA1:3b8a4b81f0b06514188e4f935d5f4b0858b93806
SHA256:d46762ba155e3345baf5d9e9453e6cd8e0647438693abddf34f98ae8d6bd436a
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6260 cmdline: loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 2240 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6072 cmdline: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6500 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5396 cmdline: regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6436 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1320 cmdline: rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 1368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.59f0000.10.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              7.2.rundll32.exe.5630000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.4720000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  0.2.loaddll32.exe.2ab0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.5690000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 43 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2240, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, ProcessId: 6072

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.1270000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: YBfn5E3Dlw.dllVirustotal: Detection: 13%Perma Link
                      Source: YBfn5E3Dlw.dllReversingLabs: Detection: 16%
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.685499614.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: a,njr/nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.702514723.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb^;V source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49790 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49791 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49791 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                      Source: svchost.exe, 00000013.00000003.800332710.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800427811.000002EBAF402000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800351036.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800401036.000002EBAEF8A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001280 recvfrom,2_2_10001280
                      Source: loaddll32.exe, 00000000.00000000.678773988.000000000111B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_10027958

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56c0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5500000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5420000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5660000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4750000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ytghf\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFEFDD0_2_02AFEFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF3EAA0_2_02AF3EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEBAA90_2_02AEBAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFA2A50_2_02AFA2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B046BD0_2_02B046BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE1CA10_2_02AE1CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0EBC0_2_02AF0EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0ABA0_2_02AF0ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEC6B80_2_02AEC6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B036AA0_2_02B036AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEF0E90_2_02AEF0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE4E50_2_02AFE4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFBEFD0_2_02AFBEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B03EE90_2_02B03EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B000EF0_2_02B000EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE80C00_2_02AE80C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFD8DB0_2_02AFD8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFCCD90_2_02AFCCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFCAD50_2_02AFCAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEB8200_2_02AEB820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE86360_2_02AE8636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE34310_2_02AE3431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF7A0F0_2_02AF7A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF88060_2_02AF8806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF9A010_2_02AF9A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B020090_2_02B02009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF4A660_2_02AF4A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B032630_2_02B03263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B00A640_2_02B00A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF567B0_2_02AF567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE70780_2_02AE7078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE7E790_2_02AE7E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEDE740_2_02AEDE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFA4740_2_02AFA474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFDC710_2_02AFDC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEA8710_2_02AEA871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEA4450_2_02AEA445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF42440_2_02AF4244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE74420_2_02AE7442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEE6400_2_02AEE640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFF8400_2_02AFF840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF2E5D0_2_02AF2E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFB2570_2_02AFB257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF8FAE0_2_02AF8FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B017BD0_2_02B017BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE77A30_2_02AE77A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEBFBE0_2_02AEBFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFD1BC0_2_02AFD1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE57B80_2_02AE57B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B007AA0_2_02B007AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEFB8E0_2_02AEFB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE238C0_2_02AE238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF61870_2_02AF6187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0F860_2_02AF0F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF3D850_2_02AF3D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE21940_2_02AE2194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF67E60_2_02AF67E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF85FF0_2_02AF85FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE55FF0_2_02AE55FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE4BFC0_2_02AE4BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF27F90_2_02AF27F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE1F80_2_02AFE1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF9DF50_2_02AF9DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF07F40_2_02AF07F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEE7DE0_2_02AEE7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFFBDE0_2_02AFFBDE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEC5D80_2_02AEC5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFC5D50_2_02AFC5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF8D3D0_2_02AF8D3D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE1F380_2_02AE1F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF53330_2_02AF5333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEEF0C0_2_02AEEF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE670B0_2_02AE670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFAD080_2_02AFAD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B02B090_2_02B02B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF55150_2_02AF5515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEF3690_2_02AEF369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE6B7A0_2_02AE6B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF017B0_2_02AF017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF437A0_2_02AF437A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF57790_2_02AF5779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF4F740_2_02AF4F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF97740_2_02AF9774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AED14C0_2_02AED14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B02D530_2_02B02D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF654A0_2_02AF654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF21420_2_02AF2142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF7D5B0_2_02AF7D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFFF580_2_02AFFF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE9550_2_02AFE955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100291F62_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F3782_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100403D72_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004250B2_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100415572_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100395A12_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F7842_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004091B2_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002EACF2_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FBA42_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291F63_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F3783_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100403D73_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004250B3_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100415573_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100395A13_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F7843_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004091B3_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EACF3_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBA43_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035D963_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E5F3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EFA43_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F64_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F3784_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D74_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100415574_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A14_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F7844_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002FBA44_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D964_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EFA44_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 49 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 75 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: YBfn5E3Dlw.dllVirustotal: Detection: 13%
                      Source: YBfn5E3Dlw.dllReversingLabs: Detection: 16%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsrJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF761.tmpJump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@26/10@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5628:64:WilError_01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021183 LoadResource,LockResource,SizeofResource,2_2_10021183
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000