Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMqJSR2NIi

Overview

General Information

Sample Name:IMqJSR2NIi (renamed file extension from none to dll)
Analysis ID:595302
MD5:26c6fe63e7b7ddbbe73a97520ea5d93c
SHA1:8787e8c20838eea270f4a1e11cf0da706ff610ad
SHA256:9303d54f40b9c7f56d95a0aa39078f0878cab85d0b63e6f4b727749253013d8d
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6600 cmdline: loaddll64.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6608 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6628 cmdline: rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\IMqJSR2NIi.dll,BrandingFormatString MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msra.exe (PID: 6316 cmdline: C:\Windows\system32\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)
        • msra.exe (PID: 5220 cmdline: C:\Users\user\AppData\Local\p9w993CR\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)
        • mfpmp.exe (PID: 6676 cmdline: C:\Windows\system32\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • mfpmp.exe (PID: 6904 cmdline: C:\Users\user\AppData\Local\jOnYG\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • Netplwiz.exe (PID: 7052 cmdline: C:\Windows\system32\Netplwiz.exe MD5: A513A767CC9CC3E694D8C9D53B90B73E)
        • Netplwiz.exe (PID: 7060 cmdline: C:\Users\user\AppData\Local\ED1MV6ND\Netplwiz.exe MD5: A513A767CC9CC3E694D8C9D53B90B73E)
        • RecoveryDrive.exe (PID: 5576 cmdline: C:\Windows\system32\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)
        • RecoveryDrive.exe (PID: 5760 cmdline: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)
        • OptionalFeatures.exe (PID: 3800 cmdline: C:\Windows\system32\OptionalFeatures.exe MD5: 25FA10F83BEDEF170C9BB47EE7E3CA91)
        • OptionalFeatures.exe (PID: 6096 cmdline: C:\Users\user\AppData\Local\f3fc\OptionalFeatures.exe MD5: 25FA10F83BEDEF170C9BB47EE7E3CA91)
        • Netplwiz.exe (PID: 60 cmdline: C:\Windows\system32\Netplwiz.exe MD5: A513A767CC9CC3E694D8C9D53B90B73E)
        • Netplwiz.exe (PID: 3948 cmdline: C:\Users\user\AppData\Local\Zc3\Netplwiz.exe MD5: A513A767CC9CC3E694D8C9D53B90B73E)
        • MusNotificationUx.exe (PID: 2108 cmdline: C:\Windows\system32\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • MusNotificationUx.exe (PID: 3600 cmdline: C:\Users\user\AppData\Local\SxxDNr\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • wscript.exe (PID: 4220 cmdline: C:\Windows\system32\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • wscript.exe (PID: 6152 cmdline: C:\Users\user\AppData\Local\XNPtE2qti\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • DevicePairingWizard.exe (PID: 4956 cmdline: C:\Windows\system32\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)
    • rundll32.exe (PID: 6768 cmdline: rundll32.exe C:\Users\user\Desktop\IMqJSR2NIi.dll,BrandingFormatStringForEdition MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6932 cmdline: rundll32.exe C:\Users\user\Desktop\IMqJSR2NIi.dll,BrandingLoadBitmap MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000016.00000002.426087810.00007FFFF6CD1000.00000020.00000001.01000000.0000000D.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000028.00000002.611239452.00007FFFE3391000.00000020.00000001.01000000.0000001B.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.269553653.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000001D.00000002.483809310.00007FFFF0DC1000.00000020.00000001.01000000.00000012.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000007.00000002.254908404.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            26.2.Netplwiz.exe.7ffff6cd0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              29.2.RecoveryDrive.exe.7ffff0dc0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                37.2.MusNotificationUx.exe.7fffe3390000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  33.2.Netplwiz.exe.7ffff6cd0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    19.2.msra.exe.7fffef950000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 8 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6608, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\IMqJSR2NIi.dll",#1, ProcessId: 6628
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\p9w993CR\msra.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: IMqJSR2NIi.dllVirustotal: Detection: 68%Perma Link
                      Source: IMqJSR2NIi.dllMetadefender: Detection: 62%Perma Link
                      Source: IMqJSR2NIi.dllReversingLabs: Detection: 85%
                      Source: IMqJSR2NIi.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\XNPtE2qti\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\f3fc\appwiz.cplAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\p9w993CR\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\TQg3bhA\ReAgent.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\ED1MV6ND\NETPLWIZ.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\jOnYG\MFPlat.DLLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\OiZS\SLC.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\ED1MV6ND\NETPLWIZ.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\SxxDNr\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\CdAVuX3\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: IMqJSR2NIi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\XNPtE2qti\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\f3fc\appwiz.cplJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\p9w993CR\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\TQg3bhA\ReAgent.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\ED1MV6ND\NETPLWIZ.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\jOnYG\MFPlat.DLLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\OiZS\SLC.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\ED1MV6ND\NETPLWIZ.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\SxxDNr\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CdAVuX3\MFC42u.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9D90 CryptReleaseContext,CryptAcquireContextW,GetLastError,CryptAcquireContextW,GetLastError,19_2_00007FF7443F9D90
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443E0D50 memset,CoInitialize,SysFreeString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringByteLen,SysAllocStringByteLen,SysStringLen,towupper,SysStringLen,SysFreeString,SysAllocString,_time64,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SysFreeString,SysAllocString,SysStringByteLen,GetProcessHeap,HeapAlloc,memcpy,CryptDecrypt,SysAllocStringByteLen,memset,memcpy,GetProcessHeap,HeapFree,PostMessageW,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,19_2_00007FF7443E0D50
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443E1DB4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CompareStringW,SysAllocString,SysAllocString,??_V@YAXPEAX@Z,CryptReleaseContext,19_2_00007FF7443E1DB4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9E94 memset,SysStringLen,SysStringLen,SysStringLen,memcpy,CryptEncrypt,GetLastError,19_2_00007FF7443F9E94
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FAE40 CryptGetUserKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,CryptBinaryToStringW,GetProcessHeap,HeapAlloc,CryptBinaryToStringW,SysAllocString,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,19_2_00007FF7443FAE40
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF744406EDC CryptGenRandom,19_2_00007FF744406EDC
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF744406F74 CryptAcquireContextW,time,srand,CryptGenRandom,CryptGenRandom,CryptGenRandom,CryptGenRandom,CryptGenRandom,CryptReleaseContext,19_2_00007FF744406F74
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443E2808 memset,CoInitialize,CryptReleaseContext,SysFreeString,_wtoi,SysStringByteLen,SysFreeString,SysAllocStringByteLen,SysAllocStringByteLen,SysStringByteLen,GetProcessHeap,HeapAlloc,memcpy,CryptDecrypt,SysAllocStringByteLen,memset,memcpy,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,19_2_00007FF7443E2808
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA024 SysStringLen,SysStringLen,CryptEncrypt,GetLastError,memset,memcpy,CryptEncrypt,GetLastError,??_V@YAXPEAX@Z,19_2_00007FF7443FA024
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA8F4 CryptGetUserKey,CryptStringToBinaryW,GetProcessHeap,HeapAlloc,CryptStringToBinaryW,CryptImportKey,GetProcessHeap,HeapFree,CryptDestroyKey,19_2_00007FF7443FA8F4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443E21F4 memset,SysAllocString,CryptEncrypt,memcpy,??_V@YAXPEAX@Z,memset,memcpy,??_V@YAXPEAX@Z,memcpy,CryptEncrypt,SysAllocStringByteLen,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SysStringByteLen,SysStringByteLen,SysAllocStringByteLen,memcpy,memcpy,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,19_2_00007FF7443E21F4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA1C8 SysStringLen,SysStringLen,SysFreeString,SysAllocString,CryptDecrypt,SysAllocStringByteLen,memset,memcpy,free,19_2_00007FF7443FA1C8
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9AB0 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,19_2_00007FF7443F9AB0
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FAAC4 CryptStringToBinaryW,GetProcessHeap,HeapAlloc,CryptStringToBinaryW,CryptImportKey,CryptDestroyKey,CryptGenKey,CryptExportKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CryptExportKey,CryptBinaryToStringW,GetProcessHeap,HeapAlloc,CryptBinaryToStringW,SysAllocString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,19_2_00007FF7443FAAC4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443DBAC8 memset,#261,CreateFileW,GetLastError,GetLastError,GetFileSizeEx,GetProcessHeap,HeapAlloc,ReadFile,CryptBinaryToStringW,GetProcessHeap,HeapAlloc,CryptBinaryToStringW,GetProcessHeap,HeapAlloc,GetComputerNameW,GetProcessHeap,HeapAlloc,GetUserNameExW,GetUserNameW,SysAllocString,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,19_2_00007FF7443DBAC8
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9B3C CryptReleaseContext,CryptAcquireContextW,GetLastError,CryptAcquireContextW,GetLastError,19_2_00007FF7443F9B3C
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9BCC CryptDestroyHash,CryptDestroyKey,CryptCreateHash,SysStringByteLen,CryptHashData,CryptDeriveKey,GetLastError,19_2_00007FF7443F9BCC
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA43C CryptGenRandom,19_2_00007FF7443FA43C
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA508 memset,memcpy,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,memcpy,CryptDestroyHash,19_2_00007FF7443FA508
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443F9CA4 CryptDestroyHash,CryptDestroyKey,CryptCreateHash,SysStringByteLen,CryptHashData,CryptDeriveKey,CryptSetKeyParam,GetLastError,19_2_00007FF7443F9CA4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443E04C8 memset,memset,_time64,SysAllocString,SysFreeString,CryptEncrypt,memcpy,??_V@YAXPEAX@Z,memset,memcpy,??_V@YAXPEAX@Z,memcpy,CryptEncrypt,SysAllocStringByteLen,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SysAllocString,SysFreeString,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,19_2_00007FF7443E04C8
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F43E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,29_2_00007FF7F21F43E0
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F84E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,29_2_00007FF7F21F84E4
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21FA198 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,29_2_00007FF7F21FA198
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F82F0 CryptGenKey,GetLastError,CryptDestroyKey,GetProcessHeap,HeapAlloc,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,29_2_00007FF7F21F82F0
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F87EC UuidCreate,UuidToStringW,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,RpcStringFreeW,29_2_00007FF7F21F87EC
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21FAC28 CryptGetUserKey,GetLastError,CryptDestroyKey,29_2_00007FF7F21FAC28
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F998C GetProcessHeap,HeapFree,CryptReleaseContext,GetProcessHeap,HeapFree,29_2_00007FF7F21F998C
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F9A24 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,29_2_00007FF7F21F9A24
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F4064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,29_2_00007FF7F21F4064
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21FA0C4 CryptReleaseContext,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,29_2_00007FF7F21FA0C4
                      Source: IMqJSR2NIi.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: MSRA.pdb source: msra.exe, 00000013.00000000.367253133.00007FF74440C000.00000002.00000001.01000000.0000000A.sdmp, msra.exe, 00000013.00000002.391229137.00007FF74440C000.00000002.00000001.01000000.0000000A.sdmp, msra.exe.5.dr
                      Source: Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 0000001D.00000000.459453459.00007FF7F224C000.00000002.00000001.01000000.00000011.sdmp, RecoveryDrive.exe, 0000001D.00000002.483695697.00007FF7F224C000.00000002.00000001.01000000.00000011.sdmp, RecoveryDrive.exe.5.dr
                      Source: Binary string: msinfo32.pdb source: msinfo32.exe.5.dr
                      Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000028.00000000.584120682.00007FF775F85000.00000002.00000001.01000000.0000001A.sdmp, wscript.exe, 00000028.00000002.611169672.00007FF775F85000.00000002.00000001.01000000.0000001A.sdmp, wscript.exe.5.dr
                      Source: Binary string: MFPMP.pdb source: mfpmp.exe, 00000016.00000000.402543032.00007FF7243D7000.00000002.00000001.01000000.0000000C.sdmp, mfpmp.exe, 00000016.00000002.426009184.00007FF7243D7000.00000002.00000001.01000000.0000000C.sdmp, mfpmp.exe.5.dr
                      Source: Binary string: netplwiz.pdb source: Netplwiz.exe, 0000001A.00000000.430649778.00007FF6D63E4000.00000002.00000001.01000000.0000000F.sdmp, Netplwiz.exe, 0000001A.00000002.454430360.00007FF6D63E4000.00000002.00000001.01000000.0000000F.sdmp, Netplwiz.exe, 00000021.00000000.525832806.00007FF618294000.00000002.00000001.01000000.00000015.sdmp, Netplwiz.exe, 00000021.00000002.548659085.00007FF618294000.00000002.00000001.01000000.00000015.sdmp, Netplwiz.exe.5.dr, Netplwiz.exe0.5.dr
                      Source: Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000025.00000000.554704894.00007FF7E997E000.00000002.00000001.01000000.00000017.sdmp, MusNotificationUx.exe, 00000025.00000002.579596179.00007FF7E997E000.00000002.00000001.01000000.00000017.sdmp, MusNotificationUx.exe.5.dr
                      Source: Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 0000001A.00000000.430649778.00007FF6D63E4000.00000002.00000001.01000000.0000000F.sdmp, Netplwiz.exe, 0000001A.00000002.454430360.00007FF6D63E4000.00000002.00000001.01000000.0000000F.sdmp, Netplwiz.exe, 00000021.00000000.525832806.00007FF618294000.00000002.00000001.01000000.00000015.sdmp, Netplwiz.exe, 00000021.00000002.548659085.00007FF618294000.00000002.00000001.01000000.00000015.sdmp, Netplwiz.exe.5.dr, Netplwiz.exe0.5.dr
                      Source: Binary string: OptionalFeatures.pdb source: OptionalFeatures.exe, 0000001F.00000000.489565264.00007FF7638D4000.00000002.00000001.01000000.00000013.sdmp, OptionalFeatures.exe, 0000001F.00000002.512402334.00007FF7638D4000.00000002.00000001.01000000.00000013.sdmp, OptionalFeatures.exe.5.dr
                      Source: Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000025.00000000.554704894.00007FF7E997E000.00000002.00000001.01000000.00000017.sdmp, MusNotificationUx.exe, 00000025.00000002.579596179.00007FF7E997E000.00000002.00000001.01000000.00000017.sdmp, MusNotificationUx.exe.5.dr
                      Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 00000016.00000000.402543032.00007FF7243D7000.00000002.00000001.01000000.0000000C.sdmp, mfpmp.exe, 00000016.00000002.426009184.00007FF7243D7000.00000002.00000001.01000000.0000000C.sdmp, mfpmp.exe.5.dr
                      Source: Binary string: wscript.pdb source: wscript.exe, 00000028.00000000.584120682.00007FF775F85000.00000002.00000001.01000000.0000001A.sdmp, wscript.exe, 00000028.00000002.611169672.00007FF775F85000.00000002.00000001.01000000.0000001A.sdmp, wscript.exe.5.dr
                      Source: Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 0000001D.00000000.459453459.00007FF7F224C000.00000002.00000001.01000000.00000011.sdmp, RecoveryDrive.exe, 0000001D.00000002.483695697.00007FF7F224C000.00000002.00000001.01000000.00000011.sdmp, RecoveryDrive.exe.5.dr
                      Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe.5.dr
                      Source: Binary string: msinfo32.pdbGCTL source: msinfo32.exe.5.dr
                      Source: Binary string: OptionalFeatures.pdbGCTL source: OptionalFeatures.exe, 0000001F.00000000.489565264.00007FF7638D4000.00000002.00000001.01000000.00000013.sdmp, OptionalFeatures.exe, 0000001F.00000002.512402334.00007FF7638D4000.00000002.00000001.01000000.00000013.sdmp, OptionalFeatures.exe.5.dr
                      Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe.5.dr
                      Source: Binary string: MSRA.pdbGCTL source: msra.exe, 00000013.00000000.367253133.00007FF74440C000.00000002.00000001.01000000.0000000A.sdmp, msra.exe, 00000013.00000002.391229137.00007FF74440C000.00000002.00000001.01000000.0000000A.sdmp, msra.exe.5.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24FED10 FindFirstFileExW,0_2_00007FFFE24FED10
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443DE800 memset,FindFirstFileW,FindClose,19_2_00007FF7443DE800
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FFFEF9AED10 FindFirstFileExW,19_2_00007FFFEF9AED10
                      Source: C:\Users\user\AppData\Local\jOnYG\mfpmp.exeCode function: 22_2_00007FFFF6D2ED10 FindFirstFileExW,22_2_00007FFFF6D2ED10
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F2205458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,29_2_00007FF7F2205458
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21D21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,29_2_00007FF7F21D21CC
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21E6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,29_2_00007FF7F21E6718
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21E57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,29_2_00007FF7F21E57FC
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F2200638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,29_2_00007FF7F2200638
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21FE958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,29_2_00007FF7F21FE958
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F220B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,29_2_00007FF7F220B964
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21E4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,29_2_00007FF7F21E4E28
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FFFF0E1ED10 FindFirstFileExW,29_2_00007FFFF0E1ED10
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21CB29C memset,GetSystemWindowsDirectoryW,GetLastError,memset,GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapFree,memset,GetVolumeInformationW,LoadStringW,GetProcessHeap,HeapFree,29_2_00007FF7F21CB29C
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443DA658 CreateStreamOnHGlobal,GetWindowTextW,OpenClipboard,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,??_V@YAXPEAX@Z,19_2_00007FF7443DA658

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 26.2.Netplwiz.exe.7ffff6cd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.RecoveryDrive.exe.7ffff0dc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.MusNotificationUx.exe.7fffe3390000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.Netplwiz.exe.7ffff6cd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.msra.exe.7fffef950000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.wscript.exe.7fffe3390000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7fffe24a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7fffe24a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7fffe24a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.OptionalFeatures.exe.7ffff6cd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.7fffe24a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.mfpmp.exe.7ffff6cd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7fffe24a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000002.426087810.00007FFFF6CD1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.611239452.00007FFFE3391000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.269553653.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.483809310.00007FFFF0DC1000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.254908404.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.579652462.00007FFFE3391000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.262721560.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.548716546.00007FFFF6CD1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.512496586.00007FFFF6CD1000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.391467819.00007FFFEF951000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.357465812.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.248280628.00007FFFE24A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.454470944.00007FFFF6CD1000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FA8F4 CryptGetUserKey,CryptStringToBinaryW,GetProcessHeap,HeapAlloc,CryptStringToBinaryW,CryptImportKey,GetProcessHeap,HeapFree,CryptDestroyKey,19_2_00007FF7443FA8F4
                      Source: C:\Users\user\AppData\Local\p9w993CR\msra.exeCode function: 19_2_00007FF7443FAAC4 CryptStringToBinaryW,GetProcessHeap,HeapAlloc,CryptStringToBinaryW,CryptImportKey,CryptDestroyKey,CryptGenKey,CryptExportKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CryptExportKey,CryptBinaryToStringW,GetProcessHeap,HeapAlloc,CryptBinaryToStringW,SysAllocString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,19_2_00007FF7443FAAC4
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F43E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,29_2_00007FF7F21F43E0
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F84E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,29_2_00007FF7F21F84E4
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F21F4064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,29_2_00007FF7F21F4064
                      Source: C:\Users\user\AppData\Local\TQg3bhA\RecoveryDrive.exeCode function: 29_2_00007FF7F2245C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,29_2_00007FF7F2245C64
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24DAA700_2_00007FFFE24DAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24ECA500_2_00007FFFE24ECA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24EA2C00_2_00007FFFE24EA2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C78800_2_00007FFFE24C7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D50200_2_00007FFFE24D5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24F31500_2_00007FFFE24F3150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D59F00_2_00007FFFE24D59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25076500_2_00007FFFE2507650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24E97D00_2_00007FFFE24E97D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250D5200_2_00007FFFE250D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24FDDC00_2_00007FFFE24FDDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250B2600_2_00007FFFE250B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24DB2500_2_00007FFFE24DB250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A7A400_2_00007FFFE24A7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2507AF00_2_00007FFFE2507AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24DBAE00_2_00007FFFE24DBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C82E00_2_00007FFFE24C82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2502AE00_2_00007FFFE2502AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CA3100_2_00007FFFE24CA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D03000_2_00007FFFE24D0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CDAA00_2_00007FFFE24CDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25082A00_2_00007FFFE25082A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250AAA00_2_00007FFFE250AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C92C00_2_00007FFFE24C92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24FF2C00_2_00007FFFE24FF2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D43600_2_00007FFFE24D4360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25043900_2_00007FFFE2504390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D1B300_2_00007FFFE24D1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24ABB200_2_00007FFFE24ABB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A53500_2_00007FFFE24A5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2505B500_2_00007FFFE2505B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C33400_2_00007FFFE24C3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B83400_2_00007FFFE24B8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250E4000_2_00007FFFE250E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B23F00_2_00007FFFE24B23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25094100_2_00007FFFE2509410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B74100_2_00007FFFE24B7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24F4BC00_2_00007FFFE24F4BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24DF8700_2_00007FFFE24DF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24EF8700_2_00007FFFE24EF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24BD8900_2_00007FFFE24BD890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CC0300_2_00007FFFE24CC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D00200_2_00007FFFE24D0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C50500_2_00007FFFE24C5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24F58400_2_00007FFFE24F5840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24BE1100_2_00007FFFE24BE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C39100_2_00007FFFE24C3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24AB1000_2_00007FFFE24AB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B08B00_2_00007FFFE24B08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A18D00_2_00007FFFE24A18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250B9600_2_00007FFFE250B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D99900_2_00007FFFE24D9990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A29800_2_00007FFFE24A2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D61300_2_00007FFFE24D6130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25069500_2_00007FFFE2506950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C41400_2_00007FFFE24C4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D91F00_2_00007FFFE24D91F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D89F00_2_00007FFFE24D89F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CF1F00_2_00007FFFE24CF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24BE9B00_2_00007FFFE24BE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C11B00_2_00007FFFE24C11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CE9A00_2_00007FFFE24CE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D21D00_2_00007FFFE24D21D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C69C00_2_00007FFFE24C69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B86700_2_00007FFFE24B8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A6E900_2_00007FFFE24A6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A7E800_2_00007FFFE24A7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A16200_2_00007FFFE24A1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24ADE200_2_00007FFFE24ADE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24F06500_2_00007FFFE24F0650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CF6B00_2_00007FFFE24CF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D06A00_2_00007FFFE24D06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250A6B00_2_00007FFFE250A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2507EC00_2_00007FFFE2507EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE251EF800_2_00007FFFE251EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250C7800_2_00007FFFE250C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24BE7700_2_00007FFFE24BE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25007700_2_00007FFFE2500770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE25057600_2_00007FFFE2505760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A67900_2_00007FFFE24A6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2500F300_2_00007FFFE2500F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C872B0_2_00007FFFE24C872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C2F500_2_00007FFFE24C2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C6FE00_2_00007FFFE24C6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A10100_2_00007FFFE24A1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2514FF00_2_00007FFFE2514FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24C48000_2_00007FFFE24C4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CE7B00_2_00007FFFE24CE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE251B7A00_2_00007FFFE251B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24BA7D00_2_00007FFFE24BA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B8FC00_2_00007FFFE24B8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250E48B0_2_00007FFFE250E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250A4900_2_00007FFFE250A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250E4940_2_00007FFFE250E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250E49D0_2_00007FFFE250E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24CAC800_2_00007FFFE24CAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24A5C200_2_00007FFFE24A5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B54200_2_00007FFFE24B5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D3CF00_2_00007FFFE24D3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D0D100_2_00007FFFE24D0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2502CA00_2_00007FFFE2502CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE250E4A60_2_00007FFFE250E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24B3CD00_2_00007FFFE24B3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE24D5CD00_2_00007FFFE24D5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2