Loading ...

Play interactive tourEdit tour

Windows Analysis Report MakbLShaqA.dll

Overview

General Information

Sample Name:MakbLShaqA.dll
Analysis ID:528565
MD5:d8f093871cd90d160aa42b945f68e229
SHA1:bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256:778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5912 cmdline: loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5680 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1488 cmdline: rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5064 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 576 cmdline: rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4624 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Sxdbowjvh\qaursesh.cky",UWJouFROYqkt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4396 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 3056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4620 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6092 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4144 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1260 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2436 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 244 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.644665975.0000000004820000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000007.00000002.642932572.0000000002730000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.645532661.0000000004CA0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000002.00000002.251093887.0000000005030000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.645241270.0000000004BC0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.4eb0000.16.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              2.2.rundll32.exe.4bc0000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                7.2.rundll32.exe.4bc0000.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  7.2.rundll32.exe.4900000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.4eb0000.16.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 29 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Sxdbowjvh\qaursesh.cky",UWJouFROYqkt, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4624, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Sxdbowjvh\qaursesh.cky",Control_RunDLL, ProcessId: 4396

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.2730000.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MakbLShaqA.dllVirustotal: Detection: 16%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://51.178.61.60/Virustotal: Detection: 9%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: MakbLShaqA.dllJoe Sandbox ML: detected
                      Source: MakbLShaqA.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49759 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,2_2_100331CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04201A80 FindFirstFileW,7_2_04201A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49764 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /mORDXFCTowJiEI HTTP/1.1Cookie: komdJdlT=TUmhOHjsq0jpdGYwwvuYW84t0VBz8jE3ieyufpTPSdsSjuFT9qN1vMRROT8XX34gAF8S6dpwUc+oH5xz0lXr75zGC35p3jlBRFBy5IujQdhnOqTtUqxCGNYrbZrmR2afdnZt5Wh/ofDgB2jcFQw6+VQQ2JIP7HCr+Pn9kzeVvkTqaBMsd4PXWCuDfSYazrGRqNltBGE0OeF7XD2oZRFmR54nZGCBwDANUxBVGwEA6yHtFefhr4En4Q==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.372851993.000002854CB94000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000003.372781652.000002854CB83000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.372851993.000002854CB94000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, rundll32.exe, 00000002.00000002.251213292.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.248351593.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.252910239.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.646110148.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dllString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: rundll32.exe, 00000007.00000002.643498078.000000000299A000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.269041596.000000000299A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.539104380.00000275BC28C000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.388838675.000002854CB00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000A.00000002.538995107.00000275BC212000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000019.00000002.388541947.000002854C23C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microft8
                      Source: svchost.exe, 0000000E.00000002.305947613.000002890D413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: rundll32.exe, rundll32.exe, 00000002.00000002.251213292.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.248351593.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.252910239.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.646110148.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dllString found in binary or memory: http://www.yahoo.com
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: rundll32.exe, 00000007.00000002.643460255.0000000002979000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.269137604.0000000002977000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 00000007.00000002.643460255.0000000002979000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmp, rundll32.exe, 00000007.00000003.269137604.0000000002977000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/mORDXFCTowJiEI
                      Source: rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/mORDXFCTowJiEI7L
                      Source: rundll32.exe, 00000007.00000002.643350637.0000000002941000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/mORDXFCTowJiEIIL
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comt
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.642318002.000001E5D943E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305624378.000002890D45F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000002.306010313.000002890D44E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000E.00000002.305963685.000002890D42A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000E.00000003.305676490.000002890D442000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000E.00000003.305624378.000002890D45F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.305631055.000002890D45A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.306018853.000002890D45B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305994082.000002890D443000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000E.00000003.305618783.000002890D461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.283947646.000002890D432000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.305947613.000002890D413000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305987582.000002890D43E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.305670274.000002890D457000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.305670274.000002890D457000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.305653202.000002890D441000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.283947646.000002890D432000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.305980684.000002890D43C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000E.00000002.306010313.000002890D44E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.305602622.000002890D449000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000003.368117861.000002854CB77000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368199872.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.368168723.000002854CB98000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.369209327.000002854CB7F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
                      Source: svchost.exe, 00000019.00000003.369220229.000002854CB90000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369209327.000002854CB7F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369173793.000002854CBA7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369239661.000002854D002000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.369187106.000002854CBA7000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04211027 InternetReadFile,7_2_04211027
                      Source: global trafficHTTP traffic detected: GET /mORDXFCTowJiEI HTTP/1.1Cookie: komdJdlT=TUmhOHjsq0jpdGYwwvuYW84t0VBz8jE3ieyufpTPSdsSjuFT9qN1vMRROT8XX34gAF8S6dpwUc+oH5xz0lXr75zGC35p3jlBRFBy5IujQdhnOqTtUqxCGNYrbZrmR2afdnZt5Wh/ofDgB2jcFQw6+VQQ2JIP7HCr+Pn9kzeVvkTqaBMsd4PXWCuDfSYazrGRqNltBGE0OeF7XD2oZRFmR54nZGCBwDANUxBVGwEA6yHtFefhr4En4Q==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49759 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,2_2_10013EC9

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.4eb0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4bc0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4bc0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4900000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4eb0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4820000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.28a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2730000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2b90000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.28a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ae0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4da0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4900000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ec0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4e60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4e60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4820000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4b60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4bc0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ca0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2730000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2b90000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4da0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5030000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ca0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4b60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ae0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4bc0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ec0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3f50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2de0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5030000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.644665975.0000000004820000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.642932572.0000000002730000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.645532661.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.251093887.0000000005030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.645241270.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.248189238.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250243016.0000000002DE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250730251.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.645897262.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.252637909.0000000003F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250606997.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.644831234.0000000004900000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.251012589.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.643684713.0000000002B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.645743036.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250937948.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.645105513.0000000004B60000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: MakbLShaqA.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Sxdbowjvh\qaursesh.cky:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Sxdbowjvh\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10046A462_2_10046A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10010E3B2_2_10010E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1003FFA22_2_1003FFA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2CAA82_2_02E2CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E12A462_2_02E12A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E27BB22_2_02E27BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E193842_2_02E19384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E308D12_2_02E308D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E290BA2_2_02E290BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E120432_2_02E12043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E138452_2_02E13845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2D99A2_2_02E2D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2AEEB2_2_02E2AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2DEF42_2_02E2DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2ECE32_2_02E2ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E14C002_2_02E14C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1F41F2_2_02E1F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1441E2_2_02E1441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2056A2_2_02E2056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E20ADE2_2_02E20ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1DAAE2_2_02E1DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E15AB22_2_02E15AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E172832_2_02E17283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E19A572_2_02E19A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E252202_2_02E25220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1D2232_2_02E1D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E31A3C2_2_02E31A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E11A0A2_2_02E11A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1220A2_2_02E1220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1E21C2_2_02E1E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E303F12_2_02E303F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1A3DF2_2_02E1A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E24BAA2_2_02E24BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E243B32_2_02E243B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2B3972_2_02E2B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E313432_2_02E31343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E133452_2_02E13345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E16B252_2_02E16B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E30B342_2_02E30B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E123092_2_02E12309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2A8F02_2_02E2A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E130F62_2_02E130F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E278A52_2_02E278A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E298BD2_2_02E298BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2D0912_2_02E2D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2406E2_2_02E2406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1A0482_2_02E1A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2F83F2_2_02E2F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2B1B52_2_02E2B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E311932_2_02E31193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2F14D2_2_02E2F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1C1582_2_02E1C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E159232_2_02E15923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E3292B2_2_02E3292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2BEC92_2_02E2BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E27ED12_2_02E27ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1FEA02_2_02E1FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2D6A72_2_02E2D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E306872_2_02E30687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E24E8A2_2_02E24E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E126542_2_02E12654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E19E222_2_02E19E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2BFE82_2_02E2BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E16FC42_2_02E16FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E22FA22_2_02E22FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1BFB62_2_02E1BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E14F8E2_2_02E14F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E21F6B2_2_02E21F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2577E2_2_02E2577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E13F5C2_2_02E13F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2CCD42_2_02E2CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E244AA2_2_02E244AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2748A2_2_02E2748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1CC8D2_2_02E1CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E13C912_2_02E13C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1AC952_2_02E1AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2AC9B2_2_02E2AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E11C762_2_02E11C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2E4412_2_02E2E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1EC272_2_02E1EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E18C092_2_02E18C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E21C102_2_02E21C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E155E82_2_02E155E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1C5FE2_2_02E1C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E325C32_2_02E325C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E29DA12_2_02E29DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1758F2_2_02E1758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E24D8D2_2_02E24D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1FD912_2_02E1FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E135022_2_02E13502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E2FD102_2_02E2FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_02E1251C2_2_02E1251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028ECAA83_2_028ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D441E3_2_028D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E43B33_2_028E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DCC8D3_2_028DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E4E8A3_2_028E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E748A3_2_028E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F06873_2_028F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D72833_2_028D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EAC9B3_2_028EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DAC953_2_028DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D3C913_2_028D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028ED0913_2_028ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DDAAE3_2_028DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E44AA3_2_028E44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028ED6A73_2_028ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E78A53_2_028E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DFEA03_2_028DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E98BD3_2_028E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E90BA3_2_028E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D5AB23_2_028D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EBEC93_2_028EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E0ADE3_2_028E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028ECCD43_2_028ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F08D13_2_028F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E7ED13_2_028E7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EAEEB3_2_028EAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EECE33_2_028EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EDEF43_2_028EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D30F63_2_028D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EA8F03_2_028EA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D8C093_2_028D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D1A0A3_2_028D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D220A3_2_028D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D4C003_2_028D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DE21C3_2_028DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DF41F3_2_028DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E1C103_2_028E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DEC273_2_028DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E52203_2_028E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DD2233_2_028DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D9E223_2_028D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EF83F3_2_028EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F1A3C3_2_028F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DA0483_2_028DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D38453_2_028D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D2A463_2_028D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D20433_2_028D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EE4413_2_028EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D26543_2_028D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D9A573_2_028D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E406E3_2_028E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D1C763_2_028D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D758F3_2_028D758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E4D8D3_2_028E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D4F8E3_2_028D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D93843_2_028D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028ED99A3_2_028ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EB3973_2_028EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DFD913_2_028DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F11933_2_028F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E4BAA3_2_028E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E2FA23_2_028E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E9DA13_2_028E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EB1B53_2_028EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DBFB63_2_028DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028E7BB23_2_028E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D6FC43_2_028D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F25C33_2_028F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DA3DF3_2_028DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D55E83_2_028D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028EBFE83_2_028EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028DC5FE3_2_028DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028F03F13_2_028F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D23093_2_028D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D35023_2_028D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_028D251C