Windows Analysis Report MakbLShaqA

Overview

General Information

Sample Name: MakbLShaqA (renamed file extension from none to dll)
Analysis ID: 528565
MD5: d8f093871cd90d160aa42b945f68e229
SHA1: bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256: 778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 8.2.rundll32.exe.5280000.12.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Machine Learning detection for sample
Source: MakbLShaqA.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: MakbLShaqA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04811A80 FindFirstFileW, 8_2_04811A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49764 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq HTTP/1.1Cookie: pFNpWfeVbHpase=BzroNbYOJlBeluUL21kf9bz/C9WCFsKtU3z4ZqWj1NAsmCYb46qGL4zo0otRiHL4wrBYdVMwTgrom4ILJC5Rh7kKbkp0hGijjV2ibTQJQT1b4cFT3IbmGojFIBff8vHMomGHxrv/I+8TgUg/iTHeNJSRv1mmk2PEFLzT2UUEQbG/kba0ePHqXmCT2M1YkajCceeut5bhg1Wlhj+CS8cGpwD+0qYOl0+dWBzKNb3WhUeTCqp2NZACjt06p/rDs9cWjNL4hcOMzf/2kxY/Q3UiJIrDSTrt96o/itjI5f00uDijyNSx7HzV5A==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.785606963.000001AFFBB9F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.785606963.000001AFFBB9F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, rundll32.exe, 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.671940054.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.676274983.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1193366310.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: svchost.exe, 0000000F.00000002.800779486.000001AFFB2EC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, rundll32.exe, 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.671940054.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.676274983.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1193366310.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll String found in binary or memory: http://www.yahoo.com
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000F.00000003.782138696.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782167788.000001AFFBB99000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782205391.000001AFFC002000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782120718.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782195700.000001AFFBB77000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782175989.000001AFFBBBA000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04821027 InternetReadFile, 8_2_04821027
Source: global traffic HTTP traffic detected: GET /SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq HTTP/1.1Cookie: pFNpWfeVbHpase=BzroNbYOJlBeluUL21kf9bz/C9WCFsKtU3z4ZqWj1NAsmCYb46qGL4zo0otRiHL4wrBYdVMwTgrom4ILJC5Rh7kKbkp0hGijjV2ibTQJQT1b4cFT3IbmGojFIBff8vHMomGHxrv/I+8TgUg/iTHeNJSRv1mmk2PEFLzT2UUEQbG/kba0ePHqXmCT2M1YkajCceeut5bhg1Wlhj+CS8cGpwD+0qYOl0+dWBzKNb3WhUeTCqp2NZACjt06p/rDs9cWjNL4hcOMzf/2kxY/Q3UiJIrDSTrt96o/itjI5f00uDijyNSx7HzV5A==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49764 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 2_2_10013EC9

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.47d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.51e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4e10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ed0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5130000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5190000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5190000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4df0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4e10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5340000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4df0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.11e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.11e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5340000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53a0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54b0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5130000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54b0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.47d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.51e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: MakbLShaqA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10046A46 2_2_10046A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10010E3B 2_2_10010E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003FFA2 2_2_1003FFA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DECE3 2_2_048DECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C4C00 2_2_048C4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C441E 2_2_048C441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CF41F 2_2_048CF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D056A 2_2_048D056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DAEEB 2_2_048DAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DDEF4 2_2_048DDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D90BA 2_2_048D90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E08D1 2_2_048E08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C3845 2_2_048C3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C2043 2_2_048C2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DD99A 2_2_048DD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DCAA8 2_2_048DCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C2A46 2_2_048C2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C9384 2_2_048C9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D7BB2 2_2_048D7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CCC8D 2_2_048CCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D748A 2_2_048D748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DAC9B 2_2_048DAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CAC95 2_2_048CAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C3C91 2_2_048C3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D44AA 2_2_048D44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DCCD4 2_2_048DCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C8C09 2_2_048C8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D1C10 2_2_048D1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CEC27 2_2_048CEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DE441 2_2_048DE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C1C76 2_2_048C1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D4D8D 2_2_048D4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C758F 2_2_048C758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CFD91 2_2_048CFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D9DA1 2_2_048D9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E25C3 2_2_048E25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C55E8 2_2_048C55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CC5FE 2_2_048CC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C3502 2_2_048C3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C251C 2_2_048C251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DFD10 2_2_048DFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D4E8A 2_2_048D4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E0687 2_2_048E0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DD6A7 2_2_048DD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CFEA0 2_2_048CFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DBEC9 2_2_048DBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D7ED1 2_2_048D7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C9E22 2_2_048C9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C2654 2_2_048C2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C4F8E 2_2_048C4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D2FA2 2_2_048D2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CBFB6 2_2_048CBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C6FC4 2_2_048C6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DBFE8 2_2_048DBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C3F5C 2_2_048C3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D1F6B 2_2_048D1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D577E 2_2_048D577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DD091 2_2_048DD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D78A5 2_2_048D78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D98BD 2_2_048D98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C30F6 2_2_048C30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DA8F0 2_2_048DA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DF83F 2_2_048DF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CA048 2_2_048CA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D406E 2_2_048D406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E1193 2_2_048E1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DB1B5 2_2_048DB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E292B 2_2_048E292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C5923 2_2_048C5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DF14D 2_2_048DF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CC158 2_2_048CC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C7283 2_2_048C7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CDAAE 2_2_048CDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C5AB2 2_2_048C5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D0ADE 2_2_048D0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C1A0A 2_2_048C1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C220A 2_2_048C220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CE21C 2_2_048CE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D5220 2_2_048D5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CD223 2_2_048CD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E1A3C 2_2_048E1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C9A57 2_2_048C9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DB397 2_2_048DB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D4BAA 2_2_048D4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048D43B3 2_2_048D43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048CA3DF 2_2_048CA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E03F1 2_2_048E03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C2309 2_2_048C2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C6B25 2_2_048C6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E0B34 2_2_048E0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C3345 2_2_048C3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048E1343 2_2_048E1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011343B3 3_2_011343B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112441E 3_2_0112441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113CAA8 3_2_0113CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113FD10 3_2_0113FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112251C 3_2_0112251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01123502 3_2_01123502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01122309 3_2_01122309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01140B34 3_2_01140B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01125923 3_2_01125923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01126B25 3_2_01126B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0114292B 3_2_0114292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112C158 3_2_0112C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01123F5C 3_2_01123F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01123345 3_2_01123345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01141343 3_2_01141343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113F14D 3_2_0113F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113577E 3_2_0113577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01131F6B 3_2_01131F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113056A 3_2_0113056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112FD91 3_2_0112FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113B397 3_2_0113B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01141193 3_2_01141193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113D99A 3_2_0113D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01129384 3_2_01129384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01124F8E 3_2_01124F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112758F 3_2_0112758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01134D8D 3_2_01134D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01137BB2 3_2_01137BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112BFB6 3_2_0112BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113B1B5 3_2_0113B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01132FA2 3_2_01132FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01139DA1 3_2_01139DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01134BAA 3_2_01134BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112A3DF 3_2_0112A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01126FC4 3_2_01126FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011425C3 3_2_011425C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011403F1 3_2_011403F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112C5FE 3_2_0112C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011255E8 3_2_011255E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113BFE8 3_2_0113BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01131C10 3_2_01131C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112F41F 3_2_0112F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112E21C 3_2_0112E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01124C00 3_2_01124C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01121A0A 3_2_01121A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112220A 3_2_0112220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01128C09 3_2_01128C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01141A3C 3_2_01141A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113F83F 3_2_0113F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01129E22 3_2_01129E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112D223 3_2_0112D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01135220 3_2_01135220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112EC27 3_2_0112EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01129A57 3_2_01129A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01122654 3_2_01122654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01122043 3_2_01122043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113E441 3_2_0113E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01122A46 3_2_01122A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01123845 3_2_01123845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112A048 3_2_0112A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01121C76 3_2_01121C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113406E 3_2_0113406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113D091 3_2_0113D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01123C91 3_2_01123C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112AC95 3_2_0112AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113AC9B 3_2_0113AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01127283 3_2_01127283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01140687 3_2_01140687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01134E8A 3_2_01134E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113748A 3_2_0113748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112CC8D 3_2_0112CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01125AB2 3_2_01125AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011390BA 3_2_011390BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011398BD 3_2_011398BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112FEA0 3_2_0112FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113D6A7 3_2_0113D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011378A5 3_2_011378A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011344AA 3_2_011344AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0112DAAE 3_2_0112DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01137ED1 3_2_01137ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011408D1 3_2_011408D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113CCD4 3_2_0113CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01130ADE 3_2_01130ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113BEC9 3_2_0113BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113A8F0 3_2_0113A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_011230F6 3_2_011230F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113DEF4 3_2_0113DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113ECE3 3_2_0113ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113AEEB 3_2_0113AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481CAA8 6_2_0481CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480441E 6_2_0480441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048143B3 6_2_048143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04807283 6_2_04807283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04820687 6_2_04820687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04814E8A 6_2_04814E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481748A 6_2_0481748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480CC8D 6_2_0480CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481D091 6_2_0481D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04803C91 6_2_04803C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480AC95 6_2_0480AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481AC9B 6_2_0481AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480FEA0 6_2_0480FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048178A5 6_2_048178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481D6A7 6_2_0481D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048144AA 6_2_048144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480DAAE 6_2_0480DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04805AB2 6_2_04805AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048190BA 6_2_048190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048198BD 6_2_048198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481BEC9 6_2_0481BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04817ED1 6_2_04817ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048208D1 6_2_048208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481CCD4 6_2_0481CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04810ADE 6_2_04810ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481ECE3 6_2_0481ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481AEEB 6_2_0481AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481A8F0 6_2_0481A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481DEF4 6_2_0481DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048030F6 6_2_048030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04804C00 6_2_04804C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04808C09 6_2_04808C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04801A0A 6_2_04801A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480220A 6_2_0480220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04811C10 6_2_04811C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480E21C 6_2_0480E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480F41F 6_2_0480F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04815220 6_2_04815220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04809E22 6_2_04809E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480D223 6_2_0480D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480EC27 6_2_0480EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481F83F 6_2_0481F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04821A3C 6_2_04821A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481E441 6_2_0481E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04802043 6_2_04802043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04803845 6_2_04803845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04802A46 6_2_04802A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480A048 6_2_0480A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04802654 6_2_04802654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04809A57 6_2_04809A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481406E 6_2_0481406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04801C76 6_2_04801C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04809384 6_2_04809384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04814D8D 6_2_04814D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04804F8E 6_2_04804F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480758F 6_2_0480758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480FD91 6_2_0480FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04821193 6_2_04821193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481B397 6_2_0481B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481D99A 6_2_0481D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04819DA1 6_2_04819DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04812FA2 6_2_04812FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04814BAA 6_2_04814BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04817BB2 6_2_04817BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481B1B5 6_2_0481B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480BFB6 6_2_0480BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048225C3 6_2_048225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04806FC4 6_2_04806FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480A3DF 6_2_0480A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048055E8 6_2_048055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481BFE8 6_2_0481BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_048203F1 6_2_048203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480C5FE 6_2_0480C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04803502 6_2_04803502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04802309 6_2_04802309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481FD10 6_2_0481FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480251C 6_2_0480251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04805923 6_2_04805923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04806B25 6_2_04806B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0482292B 6_2_0482292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04820B34 6_2_04820B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04821343 6_2_04821343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04803345 6_2_04803345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481F14D 6_2_0481F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0480C158 6_2_0480C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04803F5C 6_2_04803F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04811F6B 6_2_04811F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481056A 6_2_0481056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481577E 6_2_0481577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481748A 8_2_0481748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480AC95 8_2_0480AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048178A5 8_2_048178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048144AA 8_2_048144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04805AB2 8_2_04805AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04817ED1 8_2_04817ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048208D1 8_2_048208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481ECE3 8_2_0481ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481DEF4 8_2_0481DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048030F6 8_2_048030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480220A 8_2_0480220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480441E 8_2_0480441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04815220 8_2_04815220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480EC27 8_2_0480EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481F83F 8_2_0481F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04802043 8_2_04802043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04803845 8_2_04803845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04809384 8_2_04809384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480758F 8_2_0480758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04812FA2 8_2_04812FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04814BAA 8_2_04814BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480BFB6 8_2_0480BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04806FC4 8_2_04806FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048055E8 8_2_048055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480C5FE 8_2_0480C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04820B34 8_2_04820B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04807283 8_2_04807283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04820687 8_2_04820687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04814E8A 8_2_04814E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480CC8D 8_2_0480CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481D091 8_2_0481D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04803C91 8_2_04803C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481AC9B 8_2_0481AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480FEA0 8_2_0480FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481D6A7 8_2_0481D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481CAA8 8_2_0481CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480DAAE 8_2_0480DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048190BA 8_2_048190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048198BD 8_2_048198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481BEC9 8_2_0481BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481CCD4 8_2_0481CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04810ADE 8_2_04810ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481AEEB 8_2_0481AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481A8F0 8_2_0481A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04804C00 8_2_04804C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04808C09 8_2_04808C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04801A0A 8_2_04801A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04811C10 8_2_04811C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480E21C 8_2_0480E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480F41F 8_2_0480F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04809E22 8_2_04809E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480D223 8_2_0480D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04821A3C 8_2_04821A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481E441 8_2_0481E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04802A46 8_2_04802A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480A048 8_2_0480A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04802654 8_2_04802654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04809A57 8_2_04809A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481406E 8_2_0481406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04801C76 8_2_04801C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04814D8D 8_2_04814D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04804F8E 8_2_04804F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480FD91 8_2_0480FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04821193 8_2_04821193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481B397 8_2_0481B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481D99A 8_2_0481D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04819DA1 8_2_04819DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048143B3 8_2_048143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04817BB2 8_2_04817BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481B1B5 8_2_0481B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048225C3 8_2_048225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480A3DF 8_2_0480A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481BFE8 8_2_0481BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_048203F1 8_2_048203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04803502 8_2_04803502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04802309 8_2_04802309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481FD10 8_2_0481FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480251C 8_2_0480251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04805923 8_2_04805923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04806B25 8_2_04806B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0482292B 8_2_0482292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04821343 8_2_04821343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04803345 8_2_04803345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481F14D 8_2_0481F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0480C158 8_2_0480C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04803F5C 8_2_04803F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04811F6B 8_2_04811F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481056A 8_2_0481056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481577E 8_2_0481577E
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041CAB appears 78 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041DB8 appears 35 times
Source: MakbLShaqA.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@18/0@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04811B54 CreateToolhelp32Snapshot, 8_2_04811B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10016810 LockResource, 2_2_10016810
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\System32\wuapihost.exe Automated click: OK
Source: MakbLShaqA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MakbLShaqA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MakbLShaqA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MakbLShaqA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MakbLShaqA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10041D83 push ecx; ret 2_2_10041D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10041DFD push ecx; ret 2_2_10041E10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048C1229 push eax; retf 2_2_048C129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01121229 push eax; retf 3_2_0112129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04801229 push eax; retf 6_2_0480129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04801229 push eax; retf 8_2_0480129A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1004D1EA
PE file contains an invalid checksum
Source: MakbLShaqA.dll Static PE information: real checksum: 0xadad1 should be: 0xa7dab

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000C188 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000C188
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 2128 Thread sleep time: -150000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04811A80 FindFirstFileW, 8_2_04811A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000F.00000002.800737623.000001AFFB2C5000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.800779486.000001AFFB2EC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.800688440.000001AFFB2A5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100441C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1004D1EA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_048DDE10 mov eax, dword ptr fs:[00000030h] 2_2_048DDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0113DE10 mov eax, dword ptr fs:[00000030h] 3_2_0113DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0481DE10 mov eax, dword ptr fs:[00000030h] 6_2_0481DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0481DE10 mov eax, dword ptr fs:[00000030h] 8_2_0481DE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100441C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004A1EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1004A1EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003F29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1003F29E

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 Jump to behavior
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 2_2_100199B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 2_2_1004DE0C
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10048D61 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_10048D61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000BFE6 _memset,GetVersionExA, 2_2_1000BFE6

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.47d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.51e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4e10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ed0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5130000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5190000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5190000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4df0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4e10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5340000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4df0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.11e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.11e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5340000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53a0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54b0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5130000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54b0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.47d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.51e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528565 Sample: MakbLShaqA Startdate: 25/11/2021 Architecture: WINDOWS Score: 92 34 85.214.67.203 STRATOSTRATOAGDE Germany 2->34 36 195.154.146.35 OnlineSASFR France 2->36 38 17 other IPs or domains 2->38 44 Sigma detected: Emotet RunDLL32 Process Creation 2->44 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 3 other signatures 2->50 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        signatures6 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->42 22 rundll32.exe 17->22         started        24 rundll32.exe 20->24         started        process7 process8 26 rundll32.exe 22->26         started        30 rundll32.exe 24->30         started        32 wuapihost.exe 24->32         started        dnsIp9 40 51.178.61.60, 443, 49764 OVHFR France 26->40 52 System process connects to network (likely due to code injection or exploit) 26->52 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq true
  • Avira URL Cloud: safe
 unknown