Windows Analysis Report MakbLShaqA.dll

Overview

General Information

Sample Name:	MakbLShaqA.dll
Analysis ID:	528565
MD5:	d8f093871cd90d160aa42b945f68e229
SHA1:	bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256:	778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Multi AV Scanner detection for domain / URL

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 7.2.rundll32.exe.2730000.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: MakbLShaqA.dll

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for domain / URL

Source: https://51.178.61.60/

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: MakbLShaqA.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: MakbLShaqA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49759 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		2_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04201A80 FindFirstFileW,		7_2_04201A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49764 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.372851993.000002854CB94000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.372851993.000002854CB94000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, rundll32.exe, 00000002.00000002.251213292.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.248351593.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.252910239.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.646110148.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)

Source: rundll32.exe, 00000007.00000002.643498078.000000000299A000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.269041596.000000000299A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.539104380.00000275BC28C000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.388838675.000002854CB00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000A.00000002.538995107.00000275BC212000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000019.00000002.388541947.000002854C23C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microft8
Source: svchost.exe, 0000000E.00000002.305947613.000002890D413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: rundll32.exe, rundll32.exe, 00000002.00000002.251213292.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.248351593.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.252910239.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.646110148.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll	String found in binary or memory: http://www.yahoo.com
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 00000007.00000002.643460255.0000000002979000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.269137604.0000000002977000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000007.00000002.643460255.0000000002979000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmp, rundll32.exe, 00000007.00000003.269137604.0000000002977000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/mORDXFCTowJiEI
Source: rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/mORDXFCTowJiEI7L
Source: rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/mORDXFCTowJiEIIL
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comt
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305624378.000002890D45F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.306010313.000002890D44E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.305676490.000002890D442000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.305624378.000002890D45F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.283947646.000002890D432000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.305947613.000002890D413000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.305670274.000002890D457000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.305670274.000002890D457000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.283947646.000002890D432000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305980684.000002890D43C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.306010313.000002890D44E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.369209327.000002854CB7F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000019.00000003.369220229.000002854CB90000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369209327.000002854CB7F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369173793.000002854CBA7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369239661.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369187106.000002854CBA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 7.2.rundll32.exe.4eb0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4bc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4900000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4eb0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4820000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.28a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2b90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.28a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4da0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4900000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ec0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4820000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b60000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4ca0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2b90000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4da0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5030000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4ca0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4bc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ec0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5030000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.644665975.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.642932572.0000000002730000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.645532661.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.251093887.0000000005030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.645241270.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.248189238.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.250243016.0000000002DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.250730251.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.645897262.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.252637909.0000000003F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.250606997.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.644831234.0000000004900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.251012589.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.643684713.0000000002B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.645743036.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.250937948.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.645105513.0000000004B60000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10041CAB appears 75 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10041DB8 appears 35 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Sxdbowjvh\qaursesh.cky",UWJouFROYqkt
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Sxdbowjvh\qaursesh.cky",UWJouFROYqkt	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10041D83 push ecx; ret	2_2_10041D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10041DFD push ecx; ret	2_2_10041E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_02E11229 push eax; retf	2_2_02E1129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_028D1229 push eax; retf	3_2_028D129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_03F81229 push eax; retf	6_2_03F8129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_041F1229 push eax; retf	7_2_041F129A

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 5680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2908	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6180	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: svchost.exe, 0000000A.00000002.539081571.00000275BC262000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.643460255.0000000002979000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.269137604.0000000002977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.538766604.00000275B6A29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.539065871.00000275BC24C000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.388458543.000002854C213000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.386773119.000002854C27D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.388692192.000002854C2ED000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.388621892.000002854C27D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.643375653.0000000002954000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.642209081.0000026710C2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_02E2DE10 mov eax, dword ptr fs:[00000030h]	2_2_02E2DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_028EDE10 mov eax, dword ptr fs:[00000030h]	3_2_028EDE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_03F9DE10 mov eax, dword ptr fs:[00000030h]	6_2_03F9DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0420DE10 mov eax, dword ptr fs:[00000030h]	7_2_0420DE10

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100441C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1004A1EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1004A1EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003F29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1003F29E

Windows Analysis Report MakbLShaqA.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Source: rundll32.exe, 00000007.00000002.643780071.0000000002DE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000007.00000002.643780071.0000000002DE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000007.00000002.643780071.0000000002DE0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000007.00000002.643780071.0000000002DE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000007.00000002.643780071.0000000002DE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,		2_2_100199B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		2_2_1004DE0C

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000010.00000002.642285823.0000026DDEC40000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.642210089.0000026DDEC13000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.642388993.0000026DDED02000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.642236431.0000026DDEC29000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

ID:	528565
Product:	CloudBasic
Start time:	14:17:56
Start date:	25.11.2021
Sample:	MakbLShaqA.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d8f093871cd90d160aa42b945f68e229
SHA1:	bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256:	778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 94.34%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	A7335A8119E679AA9A6631C5B87A4D32	BA2C848CB15D404619E6287931AD1BA0B54D1BD2	5056AF98C8C147D6771B888DA45FDC7C3ACEE99A312EC5786827BD5C0729D772
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xe45a3984, page size 16384, Windows version 10.0	30D550F5D38E9D5FC728495F852D4B17	F89ABBAC72EF9B23E9D44FB48FC2E4AD1053A91C	FCB92B57D44503A1147318F264648D5283B891311A2924F90674F510B062DFD1
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	208B90768D7CFDA228718915B355CBE8	C7388A403555B6B3F1456AE6F35891D93B1C72AF	450D5920506D2DF487D18BA264E3F7D7C944C497EB2F7EAFB64C8A13A1256AB7
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	58FB451EEC996B2E1E31B3702038230A	8E0F459C82DB9EC32986BA327744FC17CC1C83A6	5BF64CC8E9E7F06F05A3FCB128FA3729E46F0C0B80E7E7E8A9FAF8EAEB75F7B6
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211125_221913_781.etl	data	D066D4108567BF3E33D816E4714D31CD	8A1A5D3F4B2C99DB65D51705C1FFFE7B39F3AB9D	3B2F9D8C37E6DB1C1C352A04F2C1A44ABF96C37CA219291AABB394392A5EB313