Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eWlldJYfLc

Overview

General Information

Sample Name:eWlldJYfLc (renamed file extension from none to dll)
Analysis ID:595308
MD5:d098d01cbea52f858bce6d0d9faa5b26
SHA1:952ce9cd899108c2821bf488b98387b6db8424b8
SHA256:82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7088 cmdline: loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7112 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • sdclt.exe (PID: 3960 cmdline: C:\Windows\system32\sdclt.exe MD5: 0632A8402C6504CD541AC93676AAD0F5)
        • CloudNotifications.exe (PID: 5876 cmdline: C:\Windows\system32\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • CloudNotifications.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • systemreset.exe (PID: 6544 cmdline: C:\Windows\system32\systemreset.exe MD5: 872AE9FE08ED1AA78208678967BE2FEF)
        • Dxpserver.exe (PID: 3500 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • Dxpserver.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • mfpmp.exe (PID: 5604 cmdline: C:\Windows\system32\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • mfpmp.exe (PID: 3464 cmdline: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • msra.exe (PID: 1908 cmdline: C:\Windows\system32\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)
        • mstsc.exe (PID: 7132 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 3176 cmdline: C:\Users\user\AppData\Local\n0R5g\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • SndVol.exe (PID: 5936 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 5900 cmdline: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
    • rundll32.exe (PID: 5384 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3156 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            33.2.mstsc.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              35.2.SndVol.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                20.2.CloudNotifications.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  8.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    2.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 5 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ProcessId: 7132
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: eWlldJYfLc.dllVirustotal: Detection: 67%Perma Link
                      Source: eWlldJYfLc.dllMetadefender: Detection: 60%Perma Link
                      Source: eWlldJYfLc.dllReversingLabs: Detection: 88%
                      Source: eWlldJYfLc.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: eWlldJYfLc.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310EFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310F224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F52C CryptProtectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,

                      Exploits

                      barindex
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\ntkrnlmp.exe
                      Source: eWlldJYfLc.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
                      Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
                      Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
                      Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
                      Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                      Source: svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: DeviceEnroller.exe.4.drString found in binary or memory: https://login.windows.net-%s
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 33.2.mstsc.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.SndVol.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.CloudNotifications.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Dxpserver.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.mfpmp.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67113150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67134FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67140820
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67115840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67125760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713BF6F
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C590
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F25C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F2E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67110650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67118D20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670ED550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67124390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67114BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713FC00
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67129410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671282A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671122C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67125B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F4360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F9990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F21D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F91F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F89F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FB250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DD890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C8B1
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C0EB
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F6130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67126950
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740782908
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8D520
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55CD0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C87650
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7DDC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55020
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C697D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C73150
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C47880
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6CA50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5AA70
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C559F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6A2C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5BAE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4D550
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43D50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C39D70
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50D10
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C51D30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C78D20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C33CD0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C53CF0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E494
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8A490
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4AC80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E48B
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4B6
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4AD
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4A6
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C82CA0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E49D
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C70650
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38670
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C52E10
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43610
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C21620
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2DE20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C525C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C395C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C365E0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C590
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2C5A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C42F50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C80770
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E770
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9BF6F
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C85760
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C80F30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4872B
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C87EC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C26E90
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C27E80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4F6B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8A6B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C506A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C45050
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C75840
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5F870
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6F870
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C21010
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C44800
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4C030
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50020
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74CA0820
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3A7D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38FC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C94FF0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C46FE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C26790
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8C780
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9EF80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4E7B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9B7A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C86950
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C44140
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8B960
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E110
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43910
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2B100
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C56130
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C218D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C0EB
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3D890
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C308B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C8B1
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5B250
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C27A40
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8B260
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C521D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C469C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4F1F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C591F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C589F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C59990
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C22980
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E9B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C411B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4E9A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C85B50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C25350
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43340
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38340
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C54360
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4A310
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50300
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C51B30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2BB20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C492C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C722C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7F2C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe