Loading ...

Play interactive tourEdit tour

Analysis Report v8iFmF7XPp

Overview

General Information

Sample Name:v8iFmF7XPp (renamed file extension from none to dll)
Analysis ID:386403
MD5:57c45087c4228b685f2ba1739033aa52
SHA1:0dfcdc6a288fe0792363b55cfa0009343239f7e7
SHA256:0ef921657a9c7d429c65e2a5b74a235b75b3f14d1a0781bc5b174472913c2902
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3876 cmdline: loaddll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 908 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5076 cmdline: rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 576 cmdline: rundll32.exe C:\Users\user\Desktop\v8iFmF7XPp.dll,RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Qfjc\jklaa.dll',RunDLL 1AIAACAAAABRAGYAagBjAFwAagBvAGoAYwBuAGoALgB0AG0AcQAAAA== MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ctxuywd\wutukq.pfb',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
              • rundll32.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzwiovrtengiv\kqvcktqgbfib.iqj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                • rundll32.exe (PID: 6888 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxwmb\jkpj.zgu',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                  • rundll32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vtvnv\rgao.stw',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                    • rundll32.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tduzowfuyye\kwrnkagaoo.gjy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                      • rundll32.exe (PID: 7080 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Acjeqx\suoth.uea',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                        • rundll32.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vsbshgerbjleuww\jcxjttitojfdgx.izj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                          • rundll32.exe (PID: 7152 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sxwlvdjt\gtruoro.fuy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                            • rundll32.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvrwkvknxaabriyw\pmfojithdcmeryt.srg',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                              • rundll32.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Niikduolbedqywld\lkcbagravqkrfqh.nmi',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                • rundll32.exe (PID: 3924 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zoyzltjfgemqhsmn\vnkfptckelbvwlk.boa',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                  • rundll32.exe (PID: 488 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Livoial\pcccws.vji',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                    • rundll32.exe (PID: 5148 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iazkdtsnhfgqyu\kqzarazxjjgtp.ohz',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                      • rundll32.exe (PID: 5180 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qrtvgntlq\jkzevdis.pdj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 2992 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5332 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2412 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5056 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1328 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4724 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6156 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB", "C2 list": ["80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "80.158.62.194:443", "80.158.59.174:8080", "95.213.236.64:8080", "72.186.136.247:443", "185.201.9.197:8080", "203.153.216.189:7080", "202.134.4.216:8080", "72.229.97.235:80", "24.179.13.119:80", "174.118.202.24:443", "74.208.45.104:8080", "51.89.36.180:443", "172.104.97.173:8080", "136.244.110.184:8080", "79.137.83.50:443", "61.19.246.238:443", "119.59.116.21:8080", "109.74.5.95:8080", "37.187.72.193:8080", "181.171.209.241:443", "100.37.240.62:80", "24.69.65.8:8080", "123.176.25.234:80", "74.128.121.17:80", "98.109.133.80:80", "161.0.153.60:80", "37.139.21.175:8080", "178.152.87.96:80", "172.86.188.251:8080", "94.23.237.171:443", "110.145.77.103:80", "5.39.91.110:7080", "46.105.131.79:8080", "120.150.60.189:80", "173.70.61.180:80", "59.21.235.119:80", "70.92.118.112:80", "41.185.28.84:8080", "201.241.127.190:80", "85.105.111.166:80", "152.170.205.73:80", "187.161.206.24:80", "118.83.154.64:443", "190.240.194.77:443", "202.134.4.211:8080", "78.24.219.147:8080", "89.216.122.92:80", "200.116.145.225:443", "197.211.245.21:80", "194.190.67.75:80", "139.99.158.11:443", "190.162.215.233:80", "115.94.207.99:443", "139.162.60.124:8080", "167.114.153.111:8080", "176.111.60.55:8080", "78.189.148.42:80", "134.209.144.106:443", "138.68.87.218:443", "110.145.101.66:443", "172.125.40.123:80", "87.106.139.101:8080", "70.183.211.3:80", "64.207.182.168:8080", "157.245.99.39:8080", "181.165.68.127:80", "62.171.142.179:8080", "75.177.207.146:80", "209.141.54.221:7080", "70.180.33.202:80", "109.116.245.80:80", "144.217.7.207:7080", "50.91.114.38:80", "139.59.60.244:8080", "97.120.3.198:80", "121.124.124.40:7080", "104.131.11.150:443", "67.170.250.203:443", "185.94.252.104:443", "220.245.198.194:80", "49.205.182.134:80", "50.245.107.73:443", "172.105.13.66:443", "5.2.212.254:80", "78.188.225.105:80", "120.150.218.241:443", "93.146.48.84:80", "110.145.11.73:80", "168.235.67.138:7080", "217.20.166.178:7080", "24.178.90.49:80", "95.9.5.93:80", "194.4.58.192:7080", "47.144.21.37:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.198543812.0000000004411000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.198440197.0000000004310000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.343393255.0000000003350000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000005.00000002.343444128.0000000003371000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.462653731.0000000002391000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.2390000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              3.2.rundll32.exe.4310000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.rundll32.exe.2720000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  4.2.rundll32.exe.2720000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    5.2.rundll32.exe.3370000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 36.2.rundll32.exe.49f0000.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB", "C2 list": ["80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "80.158.62.194:443", "80.158.59.174:8080", "95.213.236.64:8080", "72.186.136.247:443", "185.201.9.197:8080", "203.153.216.189:7080", "202.134.4.216:8080", "72.229.97.235:80", "24.179.13.119:80", "174.118.202.24:443", "74.208.45.104:8080", "51.89.36.180:443", "172.104.97.173:8080", "136.244.110.184:8080", "79.137.83.50:443", "61.19.246.238:443", "119.59.116.21:8080", "109.74.5.95:8080", "37.187.72.193:8080", "181.171.209.241:443", "100.37.240.62:80", "24.69.65.8:8080", "123.176.25.234:80", "74.128.121.17:80", "98.109.133.80:80", "161.0.153.60:80", "37.139.21.175:8080", "178.152.87.96:80", "172.86.188.251:8080", "94.23.237.171:443", "110.145.77.103:80", "5.39.91.110:7080", "46.105.131.79:8080", "120.150.60.189:80", "173.70.61.180:80", "59.21.235.119:80", "70.92.118.112:80", "41.185.28.84:8080", "201.241.127.190:80", "85.105.111.166:80", "152.170.205.73:80", "187.161.206.24:80", "118.83.154.64:443", "190.240.194.77:443", "202.134.4.211:8080", "78.24.219.147:8080", "89.216.122.92:80", "200.116.145.225:443", "197.211.245.21:80", "194.190.67.75:80", "139.99.158.11:443", "190.162.215.233:80", "115.94.207.99:443", "139.162.60.124:8080", "167.114.153.111:8080", "176.111.60.55:8080", "78.189.148.42:80", "134.209.144.106:443", "138.68.87.218:443", "110.145.101.66:443", "172.125.40.123:80", "87.106.139.101:8080", "70.183.211.3:80", "64.207.182.168:8080", "157.245.99.39:8080", "181.165.68.127:80", "62.171.142.179:8080", "75.177.207.146:80", "209.141.54.221:7080", "70.180.33.202:80", "109.116.245.80:80", "144.217.7.207:7080", "50.91.114.38:80", "139.59.60.244:8080", "97.120.3.198:80", "121.124.124.40:7080", "104.131.11.150:443", "67.170.250.203:443", "185.94.252.104:443", "220.245.198.194:80", "49.205.182.134:80", "50.245.107.73:443", "172.105.13.66:443", "5.2.212.254:80", "78.188.225.105:80", "120.150.218.241:443", "93.146.48.84:80", "110.145.11.73:80", "168.235.67.138:7080", "217.20.166.178:7080", "24.178.90.49:80", "95.9.5.93:80", "194.4.58.192:7080", "47.144.21.37:80"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllVirustotal: Detection: 74%Perma Link
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllMetadefender: Detection: 43%Perma Link
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllReversingLabs: Detection: 86%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: v8iFmF7XPp.dllVirustotal: Detection: 79%Perma Link
                      Source: v8iFmF7XPp.dllMetadefender: Detection: 50%Perma Link
                      Source: v8iFmF7XPp.dllReversingLabs: Detection: 88%
                      Machine Learning detection for sampleShow sources
                      Source: v8iFmF7XPp.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,21_2_70332180
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70335700 RegOpenKeyA,EncryptFileA,VirtualAlloc,Sleep,ExitProcess,21_2_70335700
                      Source: v8iFmF7XPp.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70348C1D FindFirstFileExA,21_2_70348C1D

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 80.158.3.161:443
                      Source: Malware configuration extractorIPs: 80.158.51.209:8080
                      Source: Malware configuration extractorIPs: 80.158.35.51:80
                      Source: Malware configuration extractorIPs: 80.158.63.78:443
                      Source: Malware configuration extractorIPs: 80.158.53.167:80
                      Source: Malware configuration extractorIPs: 80.158.62.194:443
                      Source: Malware configuration extractorIPs: 80.158.59.174:8080
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 72.186.136.247:443
                      Source: Malware configuration extractorIPs: 185.201.9.197:8080
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 72.229.97.235:80
                      Source: Malware configuration extractorIPs: 24.179.13.119:80
                      Source: Malware configuration extractorIPs: 174.118.202.24:443
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 51.89.36.180:443
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 136.244.110.184:8080
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 181.171.209.241:443
                      Source: Malware configuration extractorIPs: 100.37.240.62:80
                      Source: Malware configuration extractorIPs: 24.69.65.8:8080
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 74.128.121.17:80
                      Source: Malware configuration extractorIPs: 98.109.133.80:80
                      Source: Malware configuration extractorIPs: 161.0.153.60:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 178.152.87.96:80
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 173.70.61.180:80
                      Source: Malware configuration extractorIPs: 59.21.235.119:80
                      Source: Malware configuration extractorIPs: 70.92.118.112:80
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 152.170.205.73:80
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 197.211.245.21:80
                      Source: Malware configuration extractorIPs: 194.190.67.75:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 190.162.215.233:80
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 78.189.148.42:80
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 110.145.101.66:443
                      Source: Malware configuration extractorIPs: 172.125.40.123:80
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 70.183.211.3:80
                      Source: Malware configuration extractorIPs: 64.207.182.168:8080
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 181.165.68.127:80
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 75.177.207.146:80
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 70.180.33.202:80
                      Source: Malware configuration extractorIPs: 109.116.245.80:80
                      Source: Malware configuration extractorIPs: 144.217.7.207:7080
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 97.120.3.198:80
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 67.170.250.203:443
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 49.205.182.134:80
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 172.105.13.66:443
                      Source: Malware configuration extractorIPs: 5.2.212.254:80
                      Source: Malware configuration extractorIPs: 78.188.225.105:80
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 93.146.48.84:80
                      Source: Malware configuration extractorIPs: 110.145.11.73:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 47.144.21.37:80
                      Source: unknownNetwork traffic detected: IP country count 31
                      Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                      Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                      Source: Joe Sandbox ViewASN Name: BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN
                      Source: global trafficHTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/ HTTP/1.1DNT: 0Referer: 167.71.148.58/bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/Content-Type: multipart/form-data; boundary=----------------------v7ja694BxhvFduv6zU4WRCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6484Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownHTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
                      Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000009.00000002.467760812.000002C419E14000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000009.00000002.467432440.000002C419D60000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 00000009.00000002.462704832.000002C4146AF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
                      Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309551952.0000023697265000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.309215409.0000023697240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309517521.000002369723B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000003.00000002.198543812.0000000004411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.198440197.0000000004310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.343393255.0000000003350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.343444128.0000000003371000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.462653731.0000000002391000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.463337654.0000000002720000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.2390000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4310000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2720000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2720000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3370000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3350000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4310000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4410000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3350000.1.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70335CE0 GetModuleFileNameW,PathFindFileNameW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess,21_2_70335CE0
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Qfjc\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Qfjc\jojcnj.tmq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100180F13_2_100180F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100161563_2_10016156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100129C73_2_100129C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100132703_2_10013270
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013A9C3_2_10013A9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100172D63_2_100172D6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016BDE3_2_10016BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D3FF3_2_1000D3FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001367C3_2_1001367C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001669A3_2_1001669A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10012E9C3_2_10012E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416C053_2_04416C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044289783_2_04428978
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044141213_2_04414121
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442C19B3_2_0442C19B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04424DAD3_2_04424DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416E8A3_2_04416E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441E3603_2_0441E360
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441FB043_2_0441FB04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044197163_2_04419716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442533C3_2_0442533C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A7E43_2_0442A7E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044183F03_2_044183F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D04B3_2_0441D04B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441884A3_2_0441884A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044250603_2_04425060
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04420C653_2_04420C65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441F4713_2_0441F471
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04421C793_2_04421C79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044148283_2_04414828
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044268CB3_2_044268CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B0E13_2_0441B0E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442D08F3_2_0442D08F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A0943_2_0442A094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441F0993_2_0441F099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441C8A53_2_0441C8A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442C95E3_2_0442C95E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04414D5F3_2_04414D5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04415D0E3_2_04415D0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044225133_2_04422513
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441E9243_2_0441E924
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441792C3_2_0441792C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425D363_2_04425D36
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044239E13_2_044239E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044189943_2_04418994
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442B19F3_2_0442B19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044181A03_2_044181A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044159B83_2_044159B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04427A503_2_04427A50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D6683_2_0441D668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441766F3_2_0441766F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441427A3_2_0441427A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04428E793_2_04428E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04422A7D3_2_04422A7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044116003_2_04411600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044236003_2_04423600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044136183_2_04413618
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441DEC93_2_0441DEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D2CE3_2_0441D2CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044212D13_2_044212D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044276D53_2_044276D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04429AE23_2_04429AE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04417AE43_2_04417AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A2EA3_2_0442A2EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04420EA03_2_04420EA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044272AE3_2_044272AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044112B63_2_044112B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416ABA3_2_04416ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044163423_2_04416342
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044127463_2_04412746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044237453_2_04423745
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044257483_2_04425748
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04418F553_2_04418F55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441DB5B3_2_0441DB5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425B603_2_04425B60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044207053_2_04420705
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044283133_2_04428313
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441BB283_2_0441BB28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441C3C23_2_0441C3C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044133F43_2_044133F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B7F83_2_0441B7F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441EF803_2_0441EF80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04413B973_2_04413B97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B3A23_2_0441B3A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04413FAB3_2_04413FAB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044167AC3_2_044167AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442CBB03_2_0442CBB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441FFB53_2_0441FFB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F457F21_2_050F457F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EED7121_2_050EED71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F53C021_2_050F53C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ECDD821_2_050ECDD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E542D21_2_050E542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9C7621_2_050F9C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F868421_2_050F8684
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EE2BE21_2_050EE2BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E80E321_2_050E80E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F030B21_2_050F030B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7D0721_2_050E7D07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF10021_2_050EF100
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E8F1B21_2_050E8F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E2B2B21_2_050E2B2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E1D2B21_2_050E1D2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EAB2621_2_050EAB26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E773B21_2_050E773B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F293821_2_050F2938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E4F4C21_2_050E4F4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E754721_2_050E7547
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9B5921_2_050F9B59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EBD6C21_2_050EBD6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF96A21_2_050EF96A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ED77E21_2_050ED77E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E918D21_2_050E918D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EDB9E21_2_050EDB9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EB39421_2_050EB394
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050FABAE21_2_050FABAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E2FA721_2_050E2FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E43BC21_2_050E43BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF3B221_2_050EF3B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ECBB121_2_050ECBB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E83CE21_2_050E83CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F19CB21_2_050F19CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F83C921_2_050F83C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9DC421_2_050F9DC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E5FD221_2_050E5FD2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F49EF21_2_050F49EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F8FE821_2_050F8FE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E69FD21_2_050E69FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E13FB21_2_050E13FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E17FB21_2_050E17FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EBFF421_2_050EBFF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EA7F121_2_050EA7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F300F21_2_050F300F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7E0C21_2_050E7E0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ED40521_2_050ED405