Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MqE1p1WFrf.exe

Overview

General Information

Sample Name:MqE1p1WFrf.exe
Analysis ID:790122
MD5:dd10393642798db29a624785ead8ecec
SHA1:39aad598cfe75a9d8770fef63b5c81db3acfa3b7
SHA256:0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
Tags:32exeRhadamanthystrojan
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries memory information (via WMI often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • MqE1p1WFrf.exe (PID: 3648 cmdline: C:\Users\user\Desktop\MqE1p1WFrf.exe MD5: DD10393642798DB29A624785EAD8ECEC)
    • rundll32.exe (PID: 3352 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6076 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 648 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 9 entries
            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.17ed8d50000.9.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
              4.3.rundll32.exe.17ed8ee0000.11.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                4.3.rundll32.exe.17ed8d50000.8.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                  4.3.rundll32.exe.17ed8e60000.14.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                    1.3.MqE1p1WFrf.exe.2830000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 2 entries
                      No Sigma rule has matched
                      Timestamp:192.168.2.5179.43.163.12649701802853002 01/23/23-21:39:53.428050
                      SID:2853002
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:179.43.163.126192.168.2.580497002853001 01/23/23-21:39:35.293558
                      SID:2853001
                      Source Port:80
                      Destination Port:49700
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.5179.43.163.12649700802043202 01/23/23-21:39:35.266442
                      SID:2043202
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: MqE1p1WFrf.exeReversingLabs: Detection: 64%
                      Source: MqE1p1WFrf.exeVirustotal: Detection: 68%Perma Link
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllReversingLabs: Detection: 20%
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllVirustotal: Detection: 23%Perma Link
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAC06C CryptUnprotectData,4_2_00007DF471DAC06C
                      Source: MqE1p1WFrf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
                      Source: Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp