Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eWlldJYfLc

Overview

General Information

Sample Name:eWlldJYfLc (renamed file extension from none to dll)
Analysis ID:595308
MD5:d098d01cbea52f858bce6d0d9faa5b26
SHA1:952ce9cd899108c2821bf488b98387b6db8424b8
SHA256:82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7088 cmdline: loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7112 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • sdclt.exe (PID: 3960 cmdline: C:\Windows\system32\sdclt.exe MD5: 0632A8402C6504CD541AC93676AAD0F5)
        • CloudNotifications.exe (PID: 5876 cmdline: C:\Windows\system32\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • CloudNotifications.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • systemreset.exe (PID: 6544 cmdline: C:\Windows\system32\systemreset.exe MD5: 872AE9FE08ED1AA78208678967BE2FEF)
        • Dxpserver.exe (PID: 3500 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • Dxpserver.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • mfpmp.exe (PID: 5604 cmdline: C:\Windows\system32\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • mfpmp.exe (PID: 3464 cmdline: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • msra.exe (PID: 1908 cmdline: C:\Windows\system32\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)
        • mstsc.exe (PID: 7132 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 3176 cmdline: C:\Users\user\AppData\Local\n0R5g\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • SndVol.exe (PID: 5936 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 5900 cmdline: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
    • rundll32.exe (PID: 5384 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3156 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            33.2.mstsc.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              35.2.SndVol.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                20.2.CloudNotifications.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  8.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    2.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 5 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ProcessId: 7132
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: eWlldJYfLc.dllVirustotal: Detection: 67%Perma Link
                      Source: eWlldJYfLc.dllMetadefender: Detection: 60%Perma Link
                      Source: eWlldJYfLc.dllReversingLabs: Detection: 88%
                      Source: eWlldJYfLc.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: eWlldJYfLc.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310EFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,26_2_00007FF61310EFCC
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310F224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,26_2_00007FF61310F224
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F52C CryptProtectData,LocalAlloc,LocalFree,33_2_00007FF7B877F52C
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,33_2_00007FF7B877F8FC

                      Exploits

                      barindex
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\ntkrnlmp.exeJump to behavior
                      Source: eWlldJYfLc.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
                      Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
                      Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
                      Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
                      Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,0_2_00007FFC6711ED10
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7ED10 FindFirstFileExW,20_2_00007FFC74C7ED10
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,26_2_00007FF6130E1914
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                      Source: svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: DeviceEnroller.exe.4.drString found in binary or memory: https://login.windows.net-%s
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 33.2.mstsc.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.SndVol.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.CloudNotifications.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Dxpserver.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.mfpmp.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D00_2_00007FFC671097D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F50200_2_00007FFC670F5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC00_2_00007FFC6711DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671276500_2_00007FFC67127650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D5200_2_00007FFC6712D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710A2C00_2_00007FFC6710A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F59F00_2_00007FFC670F59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FAA700_2_00007FFC670FAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710CA500_2_00007FFC6710CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E78800_2_00007FFC670E7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671131500_2_00007FFC67113150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713B7A00_2_00007FFC6713B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C67900_2_00007FFC670C6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712C7800_2_00007FFC6712C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713EF800_2_00007FFC6713EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE7B00_2_00007FFC670EE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DA7D00_2_00007FFC670DA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67134FF00_2_00007FFC67134FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8FC00_2_00007FFC670D8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E6FE00_2_00007FFC670E6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671408200_2_00007FFC67140820
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C10100_2_00007FFC670C1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E48000_2_00007FFC670E4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EC0300_2_00007FFC670EC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F00200_2_00007FFC670F0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E50500_2_00007FFC670E5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710F8700_2_00007FFC6710F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671158400_2_00007FFC67115840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FF8700_2_00007FFC670FF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6E900_2_00007FFC670C6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A6B00_2_00007FFC6712A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7E800_2_00007FFC670C7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF6B00_2_00007FFC670EF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F06A00_2_00007FFC670F06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127EC00_2_00007FFC67127EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120F300_2_00007FFC67120F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E872B0_2_00007FFC670E872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671257600_2_00007FFC67125760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E2F500_2_00007FFC670E2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713BF6F0_2_00007FFC6713BF6F
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671207700_2_00007FFC67120770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE7700_2_00007FFC670DE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C5900_2_00007FFC6713C590
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CC5A00_2_00007FFC670CC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D95C00_2_00007FFC670D95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F25C00_2_00007FFC670F25C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D65E00_2_00007FFC670D65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E36100_2_00007FFC670E3610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F2E100_2_00007FFC670F2E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CDE200_2_00007FFC670CDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C16200_2_00007FFC670C1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D86700_2_00007FFC670D8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671106500_2_00007FFC67110650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E49D0_2_00007FFC6712E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122CA00_2_00007FFC67122CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4A60_2_00007FFC6712E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4AD0_2_00007FFC6712E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4B60_2_00007FFC6712E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EAC800_2_00007FFC670EAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E48B0_2_00007FFC6712E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A4900_2_00007FFC6712A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4940_2_00007FFC6712E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D3CD00_2_00007FFC670D3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5CD00_2_00007FFC670F5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F3CF00_2_00007FFC670F3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67118D200_2_00007FFC67118D20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0D100_2_00007FFC670F0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1D300_2_00007FFC670F1D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3D500_2_00007FFC670E3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670ED5500_2_00007FFC670ED550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D9D700_2_00007FFC670D9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671243900_2_00007FFC67124390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67114BC00_2_00007FFC67114BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D23F00_2_00007FFC670D23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D74100_2_00007FFC670D7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4000_2_00007FFC6712E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713FC000_2_00007FFC6713FC00
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671294100_2_00007FFC67129410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D54200_2_00007FFC670D5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5C200_2_00007FFC670C5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671282A00_2_00007FFC671282A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712AAA00_2_00007FFC6712AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EDAA00_2_00007FFC670EDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122AE00_2_00007FFC67122AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127AF00_2_00007FFC67127AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E92C00_2_00007FFC670E92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671122C00_2_00007FFC671122C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711F2C00_2_00007FFC6711F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E82E00_2_00007FFC670E82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FBAE00_2_00007FFC670FBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EA3100_2_00007FFC670EA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F03000_2_00007FFC670F0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1B300_2_00007FFC670F1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CBB200_2_00007FFC670CBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C53500_2_00007FFC670C5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E33400_2_00007FFC670E3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D83400_2_00007FFC670D8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67125B500_2_00007FFC67125B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F43600_2_00007FFC670F4360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F99900_2_00007FFC670F9990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C29800_2_00007FFC670C2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE9B00_2_00007FFC670DE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E11B00_2_00007FFC670E11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE9A00_2_00007FFC670EE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F21D00_2_00007FFC670F21D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E69C00_2_00007FFC670E69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF1F00_2_00007FFC670EF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F91F00_2_00007FFC670F91F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F89F00_2_00007FFC670F89F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B2600_2_00007FFC6712B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FB2500_2_00007FFC670FB250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7A400_2_00007FFC670C7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DD8900_2_00007FFC670DD890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C8B10_2_00007FFC6713C8B1
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D08B00_2_00007FFC670D08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C0EB0_2_00007FFC6713C0EB
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C18D00_2_00007FFC670C18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE1100_2_00007FFC670DE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E39100_2_00007FFC670E3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CB1000_2_00007FFC670CB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F61300_2_00007FFC670F6130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B9600_2_00007FFC6712B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E41400_2_00007FFC670E4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671269500_2_00007FFC67126950
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF74078290820_2_00007FF740782908
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8D52020_2_00007FFC74C8D520
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55CD020_2_00007FFC74C55CD0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8765020_2_00007FFC74C87650
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7DDC020_2_00007FFC74C7DDC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5502020_2_00007FFC74C55020
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C697D020_2_00007FFC74C697D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7315020_2_00007FFC74C73150
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4788020_2_00007FFC74C47880
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6CA5020_2_00007FFC74C6CA50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5AA7020_2_00007FFC74C5AA70
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C559F020_2_00007FFC74C559F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6A2C020_2_00007FFC74C6A2C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5BAE020_2_00007FFC74C5BAE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4D55020_2_00007FFC74C4D550
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe