Edit tour

Windows Analysis Report
0di3x.exe

Overview

General Information

Sample name:	0di3x.exe
Analysis ID:	1597236
MD5:	bd97f762750d0e38e38d5e8f7363f66a
SHA1:	9ae3d7053246289ff908758f9d60d79586f7fc9f
SHA256:	d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
Tags:	exeuser-MrMalware
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

DLL reload attack detected

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Renames NTDLL to bypass HIPS

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to resolve many domain names, but no domain seems valid

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)

Contains functionality to communicate with device drivers

Contains functionality to load drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

0di3x.exe (PID: 5780 cmdline: "C:\Users\user\Desktop\0di3x.exe" MD5: BD97F762750D0E38E38D5E8F7363F66A)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

vugfefw (PID: 3648 cmdline: C:\Users\user\AppData\Roaming\vugfefw MD5: BD97F762750D0E38E38D5E8F7363F66A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://roompampamgandish.wtf/", "http://viprasputinsd.chimkent.su/", "http://lupadypa.dagestan.su/", "http://grammmdinss.today/", "http://etasuklavish.today/", "http://mragyzmachnobesdi.today/", "http://kimchinikuzims.today/", "http://slacvostinrius.today/", "http://musaroprovadnikov.live/", "http://straponuliusyn.today/", "http://stoknolimchin.exnet.su/", "http://stolkgolmishutich.termez.su/", "http://teemforyourexprensiti.life/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2159821605.0000000003060000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2159975048.000000000308D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1180:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2433888025.00000000030A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2160234942.0000000004C21000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x414:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2434138713.0000000004BF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x414:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000003.2089030567.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000002.2432729228.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000002.2434201803.0000000004D20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x814:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000003.2381448976.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000002.2434075847.000000000326E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf50:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2158409318.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000000.00000002.2160155593.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x814:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.0di3x.exe.400000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
4.2.vugfefw.400000.0.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0.2.0di3x.exe.3060e50.1.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0.3.0di3x.exe.4be0000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
4.3.vugfefw.30b0000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
4.2.vugfefw.30a0e50.1.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0.2.0di3x.exe.400000.0.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
4.2.vugfefw.400000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\vugfefw, CommandLine: C:\Users\user\AppData\Roaming\vugfefw, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vugfefw, NewProcessName: C:\Users\user\AppData\Roaming\vugfefw, OriginalFileName: C:\Users\user\AppData\Roaming\vugfefw, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\vugfefw, ProcessId: 3648, ProcessName: vugfefw

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0di3x.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://etasuklavish.today/	Avira URL Cloud: Label: malware
Source: http://roompampamgandish.wtf/	Avira URL Cloud: Label: malware
Source: http://stolkgolmishutich.termez.su/	Avira URL Cloud: Label: malware
Source: http://grammmdinss.today/	Avira URL Cloud: Label: malware
Source: http://kimchinikuzims.today/	Avira URL Cloud: Label: malware
Source: http://straponuliusyn.today/	Avira URL Cloud: Label: malware
Source: http://slacvostinrius.today/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\vugfefw

Avira: detection malicious, Label: HEUR/AGEN.1317257

Found malware configuration

Source: 00000000.00000002.2160234942.0000000004C21000.00000004.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://roompampamgandish.wtf/", "http://viprasputinsd.chimkent.su/", "http://lupadypa.dagestan.su/", "http://grammmdinss.today/", "http://etasuklavish.today/", "http://mragyzmachnobesdi.today/", "http://kimchinikuzims.today/", "http://slacvostinrius.today/", "http://musaroprovadnikov.live/", "http://straponuliusyn.today/", "http://stoknolimchin.exnet.su/", "http://stolkgolmishutich.termez.su/", "http://teemforyourexprensiti.life/"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vugfefw

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: 0di3x.exe	Virustotal: Detection: 77%			Perma Link
Source: 0di3x.exe	ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vugfefw

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0di3x.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD6E8C2 MD5Update,MD5Update,MD5Final,

0_2_6CD6E8C2

Source: 0di3x.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\0di3x.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 0di3x.exe, 00000000.00000002.2160432184.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, vugfefw, 00000004.00000002.2434286704.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, 2F6.tmp.0.dr
Source:	Binary string: wntdll.pdb source: 0di3x.exe, 0di3x.exe, 00000000.00000002.2160432184.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, vugfefw, 00000004.00000002.2434286704.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, 2F6.tmp.0.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://roompampamgandish.wtf/
Source: Malware configuration extractor	URLs: http://viprasputinsd.chimkent.su/
Source: Malware configuration extractor	URLs: http://lupadypa.dagestan.su/
Source: Malware configuration extractor	URLs: http://grammmdinss.today/
Source: Malware configuration extractor	URLs: http://etasuklavish.today/
Source: Malware configuration extractor	URLs: http://mragyzmachnobesdi.today/
Source: Malware configuration extractor	URLs: http://kimchinikuzims.today/
Source: Malware configuration extractor	URLs: http://slacvostinrius.today/
Source: Malware configuration extractor	URLs: http://musaroprovadnikov.live/
Source: Malware configuration extractor	URLs: http://straponuliusyn.today/
Source: Malware configuration extractor	URLs: http://stoknolimchin.exnet.su/
Source: Malware configuration extractor	URLs: http://stolkgolmishutich.termez.su/
Source: Malware configuration extractor	URLs: http://teemforyourexprensiti.life/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: mragyzmachnobesdi.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: stoknolimchin.exnet.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: viprasputinsd.chimkent.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: straponuliusyn.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: grammmdinss.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lupadypa.dagestan.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: etasuklavish.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: musaroprovadnikov.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: teemforyourexprensiti.life replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: stolkgolmishutich.termez.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kimchinikuzims.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slacvostinrius.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: roompampamgandish.wtf replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: mragyzmachnobesdi.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: stoknolimchin.exnet.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: viprasputinsd.chimkent.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: straponuliusyn.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: grammmdinss.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lupadypa.dagestan.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: etasuklavish.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: musaroprovadnikov.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: teemforyourexprensiti.life replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: stolkgolmishutich.termez.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kimchinikuzims.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slacvostinrius.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: roompampamgandish.wtf replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: etasuklavish.today
Source: global traffic	DNS traffic detected: DNS query: mragyzmachnobesdi.today
Source: global traffic	DNS traffic detected: DNS query: kimchinikuzims.today
Source: global traffic	DNS traffic detected: DNS query: slacvostinrius.today
Source: global traffic	DNS traffic detected: DNS query: straponuliusyn.today
Source: global traffic	DNS traffic detected: DNS query: grammmdinss.today
Source: global traffic	DNS traffic detected: DNS query: viprasputinsd.chimkent.su
Source: global traffic	DNS traffic detected: DNS query: lupadypa.dagestan.su
Source: global traffic	DNS traffic detected: DNS query: stoknolimchin.exnet.su
Source: global traffic	DNS traffic detected: DNS query: musaroprovadnikov.live
Source: global traffic	DNS traffic detected: DNS query: teemforyourexprensiti.life
Source: global traffic	DNS traffic detected: DNS query: stolkgolmishutich.termez.su
Source: global traffic	DNS traffic detected: DNS query: roompampamgandish.wtf

Source: explorer.exe, 00000002.00000000.2144986139.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2144986139.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2140801063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2144986139.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2144986139.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2144986139.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2144986139.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2144484508.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2143952574.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2144452960.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2148288497.000000000C8B8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.2147329681.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2143084656.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2143084656.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2142001036.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2147329681.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2144986139.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2144986139.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.0di3x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.3060e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0di3x.exe.4be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vugfefw.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089030567.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2432729228.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2381448976.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2158409318.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2159821605.0000000003060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2159975048.000000000308D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2433888025.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2160234942.0000000004C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2434138713.0000000004BF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2434201803.0000000004D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2434075847.000000000326E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2160155593.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401355 NtAllocateVirtualMemory,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,Sleep,Sleep,NtTerminateProcess,	0_2_00401355
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_004013DD NtAllocateVirtualMemory,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,Sleep,Sleep,NtTerminateProcess,	0_2_004013DD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_0040135C NtAllocateVirtualMemory,	0_2_0040135C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401367 NtAllocateVirtualMemory,	0_2_00401367
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_0040186D Sleep,Sleep,NtTerminateProcess,	0_2_0040186D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401878 Sleep,Sleep,NtTerminateProcess,	0_2_00401878
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401E02 NtQuerySystemInformation,NtOpenKey,NtEnumerateKey,	0_2_00401E02
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401408 NtAllocateVirtualMemory,	0_2_00401408
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_004013E8 NtAllocateVirtualMemory,	0_2_004013E8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_004013F3 NtAllocateVirtualMemory,	0_2_004013F3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401883 Sleep,Sleep,NtTerminateProcess,	0_2_00401883
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401386 NtAllocateVirtualMemory,	0_2_00401386
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C0A NtQueryInformationProcess,LdrInitializeThunk,	0_2_6CD22C0A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DF0 ZwQuerySystemInformation,LdrInitializeThunk,	0_2_6CD22DF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DB0 ZwEnumerateKey,LdrInitializeThunk,	0_2_6CD22DB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D10 ZwMapViewOfSection,LdrInitializeThunk,	0_2_6CD22D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E50 ZwDuplicateObject,LdrInitializeThunk,	0_2_6CD22E50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F30 ZwCreateSection,LdrInitializeThunk,	0_2_6CD22F30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BF0 ZwAllocateVirtualMemory,LdrInitializeThunk,	0_2_6CD22BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B90 ZwOpenKey,LdrInitializeThunk,	0_2_6CD22B90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CD0 ZwOpenThreadToken,	0_2_6CD22CD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD38CD0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,	0_2_6CD38CD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCCC8 memset,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,RtlInitUnicodeString,RtlCultureNameToLCID,RtlInitUnicodeString,RtlCultureNameToLCID,	0_2_6CCDCCC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7ACD0 RtlQueryCriticalSectionOwner,ZwReadVirtualMemory,RtlQueryCriticalSectionOwner,	0_2_6CD7ACD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CC0 ZwQueryVirtualMemory,	0_2_6CD22CC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0CC0 EtwRegisterSecurityProvider,ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CDB0CC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6ACC8 ZwClose,ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,	0_2_6CD6ACC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12CF0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,	0_2_6CD12CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CF0 ZwOpenProcess,	0_2_6CD22CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CE0 ZwQueryInformationThread,	0_2_6CD22CE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8C8D RtlFreeHeap,ZwSetEvent,ZwAlertThreadByThreadId,	0_2_6CCD8C8D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C90 ZwReleaseMutant,	0_2_6CD22C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C80 ZwImpersonateClientOfPort,	0_2_6CD22C80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08CB1 RtlInitUnicodeString,ZwQueryLicenseValue,RtlAllocateHeap,ZwQueryLicenseValue,RtlFreeHeap,	0_2_6CD08CB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CB0 ZwRequestWaitReplyPort,	0_2_6CD22CB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22CA0 ZwQueryInformationToken,	0_2_6CD22CA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CCA0 RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,	0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66CA0 RtlCreateQueryDebugBuffer,ZwCreateSection,ZwMapViewOfSection,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwFreeVirtualMemory,ZwUnmapViewOfSection,ZwClose,	0_2_6CD66CA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C50 ZwSetInformationProcess,	0_2_6CD22C50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C40 ZwWriteFileGather,	0_2_6CD22C40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24C40 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_6CD24C40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 LdrpResGetMappingSize,RtlImageNtHeaderEx,ZwQueryVirtualMemory,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C70 ZwFreeVirtualMemory,	0_2_6CD22C70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C60 ZwCreateKey,	0_2_6CD22C60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6EC65 ZwWow64CsrCaptureMessageString,	0_2_6CD6EC65
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1AC00 RtlpCheckDynamicTimeZoneInformation,memcmp,ZwClose,	0_2_6CD1AC00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C00 ZwQueryInformationProcess,	0_2_6CD22C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22C30 ZwWaitForMultipleObjects32,	0_2_6CD22C30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24C30 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_6CD24C30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlCultureNameToLCID,RtlAllocateHeap,RtlReAllocateHeap,memcpy,memset,ZwQueryDirectoryFile,ZwClose,RtlFreeHeap,RtlFreeHeap,	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEC20 TpSetPoolWorkerThreadIdleTimeout,ZwSetInformationWorkerFactory,	0_2_6CCDEC20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64DD7 DbgPrint,DbgPrompt,ZwTerminateThread,ZwTerminateProcess,DbgPrint,	0_2_6CD64DD7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DD0 ZwDelayExecution,	0_2_6CD22DD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EDD3 RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_6CD0EDD3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DC0 ZwOpenFile,	0_2_6CD22DC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4DC4 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,	0_2_6CDB4DC4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80DF0 RtlCheckBootStatusIntegrity,ZwReadFile,RtlAllocateHeap,ZwReadFile,RtlFreeHeap,	0_2_6CD80DF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8ADF0 RtlConnectToSm,RtlInitUnicodeString,memset,memcpy,ZwAlpcConnectPort,	0_2_6CD8ADF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00DE1 RtlAcquireSRWLockExclusive,RtlAllocateHeap,memcpy,ZwSetInformationProcess,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CD00DE1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DE0 ZwQueryDirectoryFile,	0_2_6CD22DE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96DE0 RtlIsPartialPlaceholderFileHandle,ZwQueryInformationFile,	0_2_6CD96DE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D90 ZwOpenProcessTokenEx,	0_2_6CD22D90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD68D87 RtlAppendUnicodeStringToString,ZwOpenKey,	0_2_6CD68D87
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D80 ZwOpenThreadTokenEx,	0_2_6CD22D80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CDB1 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwQueryInformationProcess,RtlRaiseStatus,RtlFreeHeap,LdrControlFlowGuardEnforced,RtlFreeHeap,	0_2_6CD1CDB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD70DB0 RtlSetImageMitigationPolicy,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,ZwOpenKey,ZwDeleteValueKey,ZwDeleteValueKey,ZwQueryValueKey,memcpy,ZwSetValueKey,RtlSetImageMitigationPolicy,ZwClose,	0_2_6CD70DB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8DA4 RtlInitializeCriticalSectionEx,ZwDelayExecution,	0_2_6CCE8DA4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22DA0 ZwQueryPerformanceCounter,	0_2_6CD22DA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D50 ZwTerminateProcess,	0_2_6CD22D50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D40 ZwReplyWaitReceivePortEx,	0_2_6CD22D40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CD47 ZwCancelWaitCompletionPacket,RtlDebugPrintTimes,	0_2_6CD1CD47
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0D59 memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_6CCE0D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D70 ZwReadFileScatter,	0_2_6CD22D70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00D77 ZwProtectVirtualMemory,	0_2_6CD00D77
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D60 ZwSetEventBoostPriority,	0_2_6CD22D60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD38D10 RtlRaiseStatus,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,	0_2_6CD38D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D00 ZwSetInformationFile,	0_2_6CD22D00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0D00 EtwWriteUMSecurityEvent,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CDB0D00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD6D10 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,LdrQueryImageFileKeyOption,	0_2_6CCD6D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D30 ZwUnmapViewOfSection,	0_2_6CD22D30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD88D31 RtlInitUnicodeString,memset,RtlAppendUnicodeStringToString,RtlAppendUnicodeStringToString,ZwOpenKey,ZwQueryValueKey,_allmul,ZwClose,	0_2_6CD88D31
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64D39 RtlReportSilentProcessExit,ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,ZwTerminateProcess,	0_2_6CD64D39
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22D20 ZwAccessCheckAndAuditAlarm,	0_2_6CD22D20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6AD20 ZwDuplicateObject,ZwDuplicateObject,	0_2_6CD6AD20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96D21 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,	0_2_6CD96D21
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22ED0 ZwQueryDefaultUILanguage,	0_2_6CD22ED0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22EC0 ZwContinue,	0_2_6CD22EC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22EF0 ZwYieldExecution,	0_2_6CD22EF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0EF0 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,	0_2_6CDB0EF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22EE0 ZwQueueApcThread,	0_2_6CD22EE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E90 ZwOpenEvent,	0_2_6CD22E90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD88E90 memcpy,ZwUnmapViewOfSection,ZwMapViewOfSection,memcpy,	0_2_6CD88E90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E80 ZwReadVirtualMemory,	0_2_6CD22E80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDAE90 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,TpReleasePool,	0_2_6CCDAE90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22EB0 ZwDuplicateToken,	0_2_6CD22EB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AEB0 RtlpNotOwnerCriticalSection,DbgPrintEx,ZwQueryInformationProcess,RtlRaiseStatus,RtlRaiseStatus,RtlDebugPrintTimes,RtlpNotOwnerCriticalSection,	0_2_6CD7AEB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22EA0 ZwAdjustPrivilegesToken,	0_2_6CD22EA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CEA0 LdrAddDllDirectory,RtlDetermineDosPathNameType_U,ZwQueryAttributesFile,RtlFreeHeap,RtlAllocateHeap,memcpy,RtlAcquireSRWLockExclusive,@_EH4_CallFilterFunc@8,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,LdrAddDllDirectory,	0_2_6CD6CEA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14E50 RtlDecodePointer,RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CD14E50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16E50 RtlAdjustPrivilege,ZwOpenProcessToken,ZwAdjustPrivilegesToken,ZwClose,ZwOpenThreadToken,RtlAdjustPrivilege,	0_2_6CD16E50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66E50 RtlDestroyQueryDebugBuffer,ZwClose,ZwUnmapViewOfSection,	0_2_6CD66E50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4E52 ZwAlertThreadByThreadId,	0_2_6CDB4E52
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E40 ZwCloseObjectAuditAlarm,	0_2_6CD22E40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94E4D ZwQueryPerformanceCounter,RtlRandomEx,	0_2_6CD94E4D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9CE4E memset,memset,memset,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,RtlLCIDToCultureName,ZwQueryValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,RtlInitUnicodeString,ZwQueryValueKey,ZwEnumerateValueKey,RtlCompareUnicodeStrings,RtlCompareUnicodeStrings,	0_2_6CD9CE4E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E70 ZwClearEvent,	0_2_6CD22E70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60E7F RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_6CD60E7F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAAE75 ZwFreeVirtualMemory,RtlAcquireSRWLockExclusive,RtlRbRemoveNode,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CDAAE75
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E60 ZwQueryAttributesFile,	0_2_6CD22E60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9EE6D memset,ZwCreateSection,ZwClose,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwUnmapViewOfSection,ZwClose,	0_2_6CD9EE6D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8E6C memset,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,memset,ZwGetContextThread,	0_2_6CDB8E6C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6E71 RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,	0_2_6CCE6E71
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD68E16 ZwOpenProcessTokenEx,ZwQueryInformationToken,ZwClose,RtlConvertSidToUnicodeString,	0_2_6CD68E16
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E10 ZwQueryTimer,	0_2_6CD22E10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CE16 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,	0_2_6CD5CE16
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6EE10 AlpcAdjustCompletionListConcurrencyCount,ZwAlpcSetInformation,	0_2_6CD6EE10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18E1A RtlReleaseActivationContext,LdrUnloadDll,ZwClose,RtlFreeHeap,	0_2_6CD18E1A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8E1D RtlFreeHeap,ZwSetEvent,ZwClose,	0_2_6CCD8E1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E00 ZwOpenSection,	0_2_6CD22E00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E30 ZwWriteVirtualMemory,	0_2_6CD22E30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA0E3D ZwQuerySystemInformation,	0_2_6CDA0E3D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22E20 ZwFsControlFile,	0_2_6CD22E20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24E20 KiUserApcDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwContinue,RtlRaiseStatus,	0_2_6CD24E20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FD0 ZwReadRequestData,	0_2_6CD22FD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9AFD0 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,	0_2_6CD9AFD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FC0 ZwTerminateThread,	0_2_6CD22FC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEFD8 RtlRunOnceExecuteOnce,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_6CCDEFD8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AFCE ZwQueryInformationProcess,RtlRaiseStatus,RtlCaptureContext,ZwQueryInformationProcess,RtlRaiseException,	0_2_6CD7AFCE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14FF1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,	0_2_6CD14FF1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FF0 ZwQueryEvent,	0_2_6CD22FF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20FF6 RtlAllocateHeap,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlFreeHeap,	0_2_6CD20FF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FE0 ZwCreateFile,	0_2_6CD22FE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,	0_2_6CD66FE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4FE7 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CDB4FE7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F90 ZwProtectVirtualMemory,	0_2_6CD22F90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12F98 memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,	0_2_6CD12F98
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F80 ZwIsProcessInJob,	0_2_6CD22F80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24F80 KiUserExceptionDispatcher,RtlDebugPrintTimes,ZwContinue,ZwRaiseException,RtlRaiseException,	0_2_6CD24F80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0F88 ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CDB0F88
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB6F80 PssNtFreeRemoteSnapshot,ZwReadVirtualMemory,ZwFreeVirtualMemory,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwFreeVirtualMemory,	0_2_6CDB6F80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FB0 ZwResumeThread,	0_2_6CD22FB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1AFB8 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,ZwEnumerateValueKey,DbgPrint,ZwDeleteValueKey,RtlDebugPrintTimes,ZwDeleteValueKey,DbgPrint,ZwClose,	0_2_6CD1AFB8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22FA0 ZwQuerySection,	0_2_6CD22FA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F50 ZwApphelpCacheControl,	0_2_6CD22F50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4F5C ZwTerminateProcess,	0_2_6CDB4F5C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80F50 RtlCreateBootStatusDataFile,RtlInitUnicodeString,RtlInitUnicodeString,ZwCreateFile,ZwWriteFile,RtlRestoreBootStatusDefaults,ZwClose,RtlFreeHeap,	0_2_6CD80F50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96F50 RtlIsCurrentThread,ZwCompareObjects,	0_2_6CD96F50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18F40 RtlUnwind,ZwContinue,RtlUnwind,RtlRaiseException,RtlRaiseException,RtlRaiseException,ZwContinue,ZwRaiseException,	0_2_6CD18F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F40 ZwFlushBuffersFile,	0_2_6CD22F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F70 ZwCreateThread,	0_2_6CD22F70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6AF7A ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,	0_2_6CD6AF7A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F60 ZwCreateProcessEx,	0_2_6CD22F60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4F68 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CDB4F68
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8AF60 RtlSendMsgToSm,ZwAlpcSendWaitReceivePort,	0_2_6CD8AF60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F10 ZwCreateEvent,	0_2_6CD22F10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24F10 KiUserCallbackDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwCallbackReturn,RtlRaiseStatus,	0_2_6CD24F10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F00 ZwAddAtom,	0_2_6CD22F00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20F04 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,	0_2_6CD20F04
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80F00 RtlCheckSystemBootStatusIntegrity,ZwPowerInformation,	0_2_6CD80F00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94F00 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwQueryPerformanceCounter,ZwQueryPerformanceCounter,	0_2_6CD94F00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22F20 ZwQueryVolumeInformationFile,	0_2_6CD22F20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96F20 RtlIsCurrentProcess,ZwCompareObjects,	0_2_6CD96F20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248D0 ZwWow64QueryInformationProcess64,	0_2_6CD248D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248C0 ZwWow64GetNativeSystemInformation,	0_2_6CD248C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248F0 ZwWow64ReadVirtualMemory64,	0_2_6CD248F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDE8E0 RtlQueryWnfStateData,_alloca_probe_16,ZwQueryWnfStateData,RtlDebugPrintTimes,	0_2_6CCDE8E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248E0 ZwWow64AllocateVirtualMemory64,	0_2_6CD248E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 RtlDetermineDosPathNameType_U,RtlDetermineDosPathNameType_U,ZwTerminateProcess,ZwWaitForAlertByThreadId,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlCreateUnicodeString,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD168EF ZwUnmapViewOfSection,	0_2_6CD168EF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24890 ZwWow64CsrVerifyRegion,	0_2_6CD24890
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0887 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,ZwSubscribeWnfStateChange,RtlGetCurrentServiceSessionId,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CCE0887
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C89D RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CD6C89D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24880 ZwWow64CsrGetProcessId,	0_2_6CD24880
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4887 ZwSetInformationWorkerFactory,	0_2_6CDB4887
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248B0 ZwWow64GetCurrentProcessorNumberEx,	0_2_6CD248B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C8B7 ZwTraceControl,	0_2_6CD1C8B7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD248A0 ZwWow64DebuggerCall,	0_2_6CD248A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24850 ZwWow64CsrAllocateMessagePointer,	0_2_6CD24850
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA685D ZwGetCurrentProcessorNumber,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CDA685D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7A85E RtlInitializeSid,ZwQueryInformationToken,RtlSidDominates,RtlSidDominates,ZwPrivilegeCheck,	0_2_6CD7A85E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24840 ZwWow64CsrFreeCaptureBuffer,	0_2_6CD24840
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA0840 ZwCreateSection,ZwMapViewOfSection,memset,memcpy,ZwUnmapViewOfSection,ZwClose,	0_2_6CDA0840
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24870 ZwWow64CsrCaptureMessageString,	0_2_6CD24870
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24860 ZwWow64CsrCaptureMessageBuffer,	0_2_6CD24860
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24810 ZwWow64CsrIdentifyAlertableThread,	0_2_6CD24810
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C810 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CD6C810
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24800 ZwWow64CsrClientConnectToServer,	0_2_6CD24800
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20800 ZwAllocateVirtualMemory,memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,	0_2_6CD20800
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A800 RtlEncodeRemotePointer,ZwQueryInformationProcess,	0_2_6CD6A800
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24830 ZwWow64CsrAllocateCaptureBuffer,	0_2_6CD24830
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEE820 RtlLeaveCriticalSection,RtlpNotOwnerCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,RtlRaiseStatus,LdrRscIsTypeExist,	0_2_6CCEE820
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16820 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,	0_2_6CD16820
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24820 ZwWow64CsrClientCallServer,	0_2_6CD24820
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD769C0 RtlGetSessionProperties,RtlGetCurrentServiceSessionId,ZwQueryInformationJobObject,	0_2_6CD769C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD129F9 DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap,	0_2_6CD129F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA29F3 ZwAllocateVirtualMemoryEx,	0_2_6CDA29F3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE49FF ZwSetInformationWorkerFactory,	0_2_6CCE49FF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A9E0 RtlReportExceptionEx,RtlReportException,ZwDuplicateObject,ZwDuplicateObject,memset,ZwTerminateProcess,	0_2_6CD6A9E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E9E0 RtlComputeImportTableHash,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,RtlAddressInSectionTable,RtlAllocateHeap,ZwUnmapViewOfSection,RtlFlushSecureMemoryCache,ZwUnmapViewOfSection,	0_2_6CD6E9E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAA987 ZwQueryVirtualMemory,ZwProtectVirtualMemory,	0_2_6CDAA987
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD229B3 ZwWaitForAlertByThreadId,	0_2_6CD229B3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD889B4 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CD889B4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD649B8 ZwQueryInformationProcess,ZwMapViewOfSection,ZwClose,	0_2_6CD649B8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A9A0 RtlReleaseResource,ZwReleaseSemaphore,RtlRaiseStatus,ZwQueryValueKey,ZwReleaseSemaphore,RtlRaiseStatus,ZwClose,	0_2_6CD1A9A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB6940 PssNtCaptureSnapshot,ZwAllocateVirtualMemory,memset,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwCreateProcessEx,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_6CDB6940
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96970 RtlInitializeContext,ZwWriteVirtualMemory,	0_2_6CD96970
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C97C RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CD6C97C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06962 ZwQueryInformationToken,RtlFindAceByType,RtlFindAceByType,RtlFindAceByType,RtlAllocateHeap,memcpy,memcpy,memcpy,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlCreateSecurityDescriptor,RtlFreeHeap,RtlCreateAcl,RtlAddMandatoryAce,RtlFreeHeap,memcpy,RtlFreeHeap,RtlSidDominates,RtlFreeHeap,RtlFreeHeap,RtlFindAceByType,ZwDuplicateToken,ZwAccessCheck,ZwClose,ZwPrivilegeCheck,ZwPrivilegeCheck,RtlFreeHeap,memset,memset,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CD06962
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2096E memset,memset,ZwQuerySystemInformation,ZwQueryInformationThread,ZwQueryInformationThread,ZwQuerySystemInformation,RtlAllocateHeap,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memcpy,memcpy,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memset,ZwWriteFile,RtlFreeHeap,ZwClose,ZwReadFile,ZwWriteFile,RtlQueryPerformanceCounter,RtlQueryPerformanceCounter,memcpy,ZwQueryVolumeInformationFile,ZwSetInformationFile,	0_2_6CD2096E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0096D ZwWow64IsProcessorFeaturePresent,	0_2_6CD0096D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24910 ZwWow64CallFunction64,	0_2_6CD24910
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C912 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CD6C912
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24900 ZwWow64WriteVirtualMemory64,	0_2_6CD24900
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64908 RtlAllocateHeap,ZwQueryVirtualMemory,RtlFreeHeap,	0_2_6CD64908
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24930 DbgPrintEx,ZwTerminateProcess,	0_2_6CD24930
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFE920 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,	0_2_6CCFE920
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24920 ZwWow64IsProcessorFeaturePresent,	0_2_6CD24920
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8927 ZwDuplicateObject,ZwQueryObject,ZwClose,memset,_wcsicmp,ZwQueryObject,ZwQueryObject,_wcsicmp,ZwClose,RtlDebugPrintTimes,RtlDebugPrintTimes,	0_2_6CDB8927
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AD0 ZwReadFile,	0_2_6CD22AD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AC0 ZwCallbackReturn,	0_2_6CD22AC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9AACD ZwFreeVirtualMemory,	0_2_6CD9AACD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD36ACC memset,ZwQueryWnfStateData,RtlFreeHeap,RtlAllocateHeap,ZwQueryWnfStateData,ZwQueryWnfStateData,RtlFreeHeap,	0_2_6CD36ACC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AF0 ZwWriteFile,	0_2_6CD22AF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8EAF0 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,	0_2_6CD8EAF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AE0 ZwDeviceIoControlFile,	0_2_6CD22AE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AAE0 RtlConvertExclusiveToShared,ZwReleaseSemaphore,RtlRaiseStatus,	0_2_6CD7AAE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9AA98 ZwAllocateVirtualMemory,	0_2_6CD9AA98
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22A90 ZwAcceptConnectPort,	0_2_6CD22A90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22A80 ZwWorkerFactoryWorkerReady,	0_2_6CD22A80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AB0 ZwWaitForSingleObject,	0_2_6CD22AB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22AA0 ZwMapUserPhysicalPagesScatter,	0_2_6CD22AA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA2AAC ZwQuerySystemInformation,	0_2_6CDA2AAC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD72AA9 ZwEnumerateValueKey,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlCompareUnicodeString,RtlCompareUnicodeString,ZwEnumerateKey,ZwOpenKey,ZwClose,	0_2_6CD72AA9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0A50 EtwEventWriteString,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CDB0A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1AA45 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CD1AA45
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 RtlAcquireSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22A70 ZwAccessCheck,	0_2_6CD22A70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CA72 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,	0_2_6CD5CA72
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2A70 EtwSendNotification,ZwTraceControl,RtlNtStatusToDosError,ZwClose,	0_2_6CDB2A70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94A63 ZwQuerySystemInformation,RtlAllocateHeap,RtlFreeHeap,RtlAllocateHeap,	0_2_6CD94A63
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEA0C ZwCreateEvent,TpAllocWait,ZwSetWnfProcessNotificationEvent,TpSetWaitEx,TpReleaseWait,ZwClose,	0_2_6CCDEA0C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CA11 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CD6CA11
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD72A03 ZwDeleteKey,ZwClose,	0_2_6CD72A03
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60A0E RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException,	0_2_6CD60A0E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96A30 RtlRemoteCall,LdrControlFlowGuardEnforced,ZwSuspendThread,ZwGetContextThread,ZwResumeThread,ZwWriteVirtualMemory,ZwResumeThread,memcpy,memcpy,ZwWriteVirtualMemory,ZwSetContextThread,ZwResumeThread,	0_2_6CD96A30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2A30 EtwReplyNotification,ZwTraceControl,RtlNtStatusToDosError,	0_2_6CDB2A30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BD0 ZwQueryKey,	0_2_6CD22BD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0BCD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_6CCE0BCD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6EBD0 CsrCaptureMessageMultiUnicodeStringsInPlace,ZwWow64CsrAllocateCaptureBuffer,	0_2_6CD6EBD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BC0 ZwQueryDefaultLocale,	0_2_6CD22BC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96BFC ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,	0_2_6CD96BFC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CBF0 RtlAcquireSRWLockShared,RtlReleaseSRWLockShared,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_6CD6CBF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EBFC RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,	0_2_6CD0EBFC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BE0 ZwQueryValueKey,	0_2_6CD22BE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8B98 ZwGetNextThread,ZwAllocateVirtualMemory,ZwGetNextThread,RtlGetExtendedContextLength,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwUnmapViewOfSection,ZwUnmapViewOfSection,	0_2_6CDB8B98
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B80 ZwQueryInformationFile,	0_2_6CD22B80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAEB89 ZwFreeVirtualMemory,	0_2_6CDAEB89
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BB0 ZwFindAtom,	0_2_6CD22BB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CBB0 ZwSetEvent,	0_2_6CD6CBB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEBA6 ZwOpenFile,memcmp,ZwQueryInformationThread,TpWaitForWork,TpReleaseWork,	0_2_6CCDEBA6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22BA0 ZwEnumerateValueKey,	0_2_6CD22BA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B50 ZwSetEvent,	0_2_6CD22B50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CB5D RtlGetPersistedStateLocation,ZwOpenKeyEx,	0_2_6CD5CB5D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8EB50 RtlRegisterSecureMemoryCacheCallback,ZwQuerySystemInformation,RtlAllocateHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CD8EB50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2B57 RtlAllocateHeap,RtlAllocateHeap,ZwTraceControl,RtlNtStatusToDosError,ZwTraceControl,RtlFreeHeap,RtlFreeHeap,	0_2_6CDB2B57
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B40 ZwSetInformationThread,	0_2_6CD22B40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76B40 RtlIsUntrustedObject,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFindAceByType,RtlFreeHeap,	0_2_6CD76B40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AB40 RtlConvertSharedToExclusive,ZwReleaseSemaphore,RtlRaiseStatus,ZwReleaseSemaphore,RtlRaiseStatus,RtlAcquireResourceExclusive,	0_2_6CD7AB40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8B50 RtlDeleteTimerQueueEx,RtlAcquireSRWLockExclusive,TpTimerOutstandingCallbackCount,TpReleaseTimer,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,ZwWaitForAlertByThreadId,	0_2_6CCD8B50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B70 ZwQueryObject,	0_2_6CD22B70
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B60 ZwClose,	0_2_6CD22B60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9CB64 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,	0_2_6CD9CB64
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B10 ZwReleaseSemaphore,	0_2_6CD22B10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B00 ZwRemoveIoCompletion,	0_2_6CD22B00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDACB09 ZwQueryVirtualMemory,	0_2_6CDACB09
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B30 ZwReplyPort,	0_2_6CD22B30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EB20 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,	0_2_6CD0EB20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22B20 ZwReplyWaitReceivePort,	0_2_6CD22B20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDAB30 RtlCreateMemoryZone,ZwAllocateVirtualMemory,	0_2_6CCDAB30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244D0 ZwSetLowEventPair,	0_2_6CD244D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244C0 ZwSetLdtEntries,	0_2_6CD244C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244F0 ZwSetQuotaInformationFile,	0_2_6CD244F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8E4FD ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,ZwOpenFile,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,ZwSetSecurityObject,ZwClose,ZwClose,	0_2_6CD8E4FD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE04E5 SbSelectProcedure,RtlDebugPrintTimes,RtlGetSuiteMask,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,	0_2_6CCE04E5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244E0 ZwSetLowWaitHighEventPair,	0_2_6CD244E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24490 ZwSetIntervalProfile,	0_2_6CD24490
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A49A RtlAllocateHeap,ZwCreateEvent,TpAllocWork,	0_2_6CD9A49A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24480 ZwSetInformationWorkerFactory,	0_2_6CD24480
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4480 TpSetPoolThreadCpuSets,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,RtlNumberOfSetBits,	0_2_6CDB4480
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244B0 ZwSetIoCompletionEx,	0_2_6CD244B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE64AB memcmp,ZwSetInformationThread,RtlDeactivateActivationContextUnsafeFast,RtlSetThreadSubProcessTag,memset,RtlRaiseException,ZwSetInformationThread,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,	0_2_6CCE64AB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD244A0 ZwSetIoCompletion,	0_2_6CD244A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24450 ZwSetInformationTransaction,	0_2_6CD24450
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA457 ZwDeviceIoControlFile,	0_2_6CDBA457
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A456 RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,TpReleaseWork,RtlFreeHeap,	0_2_6CD9A456
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 ZwDelayExecution,ZwFreeVirtualMemory,ZwClose,ZwClose,RtlDeleteCriticalSection,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24440 ZwSetInformationToken,	0_2_6CD24440
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0A470 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,RtlFreeHeap,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlReAllocateHeap,	0_2_6CD0A470
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24470 ZwSetInformationVirtualMemory,	0_2_6CD24470
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24460 ZwSetInformationTransactionManager,	0_2_6CD24460
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C460 RtlTestAndPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,	0_2_6CD6C460
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24410 ZwSetInformationKey,	0_2_6CD24410
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA414 ZwClose,	0_2_6CDBA414
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24400 ZwSetInformationJobObject,	0_2_6CD24400
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18402 RtlImageNtHeaderEx,ZwOpenKey,ZwOpenKey,ZwOpenKey,ZwQueryValueKey,ZwClose,RtlFormatCurrentUserKeyPath,RtlAllocateHeap,RtlAppendUnicodeStringToString,RtlAppendUnicodeToString,ZwOpenKey,RtlFreeHeap,RtlFreeUnicodeString,ZwQueryValueKey,ZwClose,ZwQueryKey,ZwClose,LdrLoadDll,ZwQueryValueKey,ZwQueryValueKey,ZwClose,LdrGetProcedureAddressForCaller,LdrUnloadDll,	0_2_6CD18402
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2410 RtlRandomEx,ZwQueryInformationProcess,	0_2_6CCE2410
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF2410 RtlAcquireSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,	0_2_6CCF2410
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24430 ZwSetInformationSymbolicLink,	0_2_6CD24430
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDC427 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap,	0_2_6CCDC427
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDE420 ZwTraceControl,EtwDeliverDataBlock,TpSetWaitEx,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CCDE420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24420 ZwSetInformationResourceManager,	0_2_6CD24420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 RtlDefaultNpAcl,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,RtlGetAppContainerSidType,RtlGetAppContainerParent,RtlAllocateHeap,RtlCreateAcl,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A5D0 RtlCreateTagHeap,ZwQuerySystemInformation,	0_2_6CD1A5D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245D0 ZwShutdownSystem,	0_2_6CD245D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245C0 ZwSetWnfProcessNotificationEvent,	0_2_6CD245C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A5C0 ZwWaitForSingleObject,	0_2_6CD9A5C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE65D0 ZwReleaseWorkerFactoryWorker,memmove,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,_allshl,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CCE65D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245F0 ZwSignalAndWaitForSingleObject,	0_2_6CD245F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB85F0 ZwQueryInformationProcess,	0_2_6CDB85F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE25E0 ZwClose,RtlFreeHeap,	0_2_6CCE25E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245E0 ZwShutdownWorkerFactory,	0_2_6CD245E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD725E4 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,	0_2_6CD725E4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24590 ZwSetTimerResolution,	0_2_6CD24590
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8590 ZwQueryMutant,ZwQueryMutant,	0_2_6CDB8590
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24580 ZwSetTimerEx,	0_2_6CD24580
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD205B0 EtwpCreateEtwThread,ZwResumeThread,EtwpCreateEtwThread,ZwTerminateThread,ZwClose,	0_2_6CD205B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245B0 ZwSetVolumeInformationFile,	0_2_6CD245B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD245A0 ZwSetUuidSeed,	0_2_6CD245A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E5A2 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,	0_2_6CD6E5A2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD65B5 RtlInitUnicodeString,RtlDebugPrintTimes,RtlDebugPrintTimes,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlReleasePath,ZwTerminateProcess,	0_2_6CCD65B5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A5A0 ZwSetEvent,	0_2_6CD9A5A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24550 ZwSetSystemTime,	0_2_6CD24550
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24540 ZwSetSystemPowerState,	0_2_6CD24540
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C540 RtlWaitForWnfMetaNotification,ZwQueryWnfStateNameInformation,ZwQueryWnfStateNameInformation,ZwCreateEvent,RtlRegisterForWnfMetaNotification,_allmul,ZwWaitForSingleObject,RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,	0_2_6CD6C540
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A570 RtlWakeAllConditionVariable,ZwAlertThreadByThreadId,RtlWakeAllConditionVariable,	0_2_6CD1A570
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C570 RtlSetUserCallbackExceptionFilter,RtlSetUserCallbackExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CD1C570
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24570 ZwSetTimer2,	0_2_6CD24570
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24560 ZwSetThreadExecutionState,	0_2_6CD24560
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8560 ZwQueryEvent,	0_2_6CDB8560
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24510 ZwSetSystemEnvironmentValue,	0_2_6CD24510
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24500 ZwSetSecurityObject,	0_2_6CD24500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 TpTrimPools,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlSleepConditionVariableSRW,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForMultipleObjects,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24530 ZwSetSystemInformation,	0_2_6CD24530
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24520 ZwSetSystemEnvironmentValueEx,	0_2_6CD24520
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246D0 ZwTranslateFilePath,	0_2_6CD246D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246C0 ZwTraceControl,	0_2_6CD246C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A6C7 RtlAllocateHeap,memcpy,ZwFreeVirtualMemory,	0_2_6CD1A6C7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246F0 ZwUnloadDriver,	0_2_6CD246F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E6F2 ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,	0_2_6CD5E6F2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246E0 ZwUmsThreadYield,	0_2_6CD246E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A6E0 RtlWow64IsWowGuestMachineSupported,ZwQuerySystemInformationEx,_alloca_probe_16,ZwQuerySystemInformationEx,	0_2_6CD6A6E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24690 ZwTestAlert,	0_2_6CD24690
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A690 RtlWow64GetSharedInfoProcess,ZwQueryInformationProcess,ZwReadVirtualMemory,	0_2_6CD6A690
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD72699 memset,memset,ZwCreateUserProcess,	0_2_6CD72699
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24680 ZwTerminateJobObject,	0_2_6CD24680
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8680 ZwQueryInformationThread,ZwQueryInformationThread,	0_2_6CDB8680
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246B0 ZwThawTransactions,	0_2_6CD246B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD246A0 ZwThawRegistry,	0_2_6CD246A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24650 ZwSuspendThread,	0_2_6CD24650
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD86650 RtlpVerifyAndCommitUILanguageSettings,memset,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,ZwGetMUIRegistryInfo,ZwShutdownSystem,	0_2_6CD86650
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A650 ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CD9A650
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8650 ZwQuerySemaphore,	0_2_6CDB8650
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24640 ZwSuspendProcess,	0_2_6CD24640
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96640 RtlSleepConditionVariableCS,RtlLeaveCriticalSection,ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,RtlEnterCriticalSection,	0_2_6CD96640
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24670 ZwTerminateEnclave,	0_2_6CD24670
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24660 ZwSystemDebugControl,	0_2_6CD24660
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24610 ZwStartProfile,	0_2_6CD24610
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24600 ZwSinglePhaseReject,	0_2_6CD24600
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24630 ZwSubscribeWnfStateChange,	0_2_6CD24630
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20634 ZwCreateThreadEx,ZwClose,	0_2_6CD20634
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDC62A RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose,	0_2_6CCDC62A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18620 ZwQueryInformationThread,ZwQueryInformationThread,RtlAcquireSRWLockShared,RtlApplicationVerifierStop,	0_2_6CD18620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24620 ZwStopProfile,	0_2_6CD24620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9C620 RtlpRefreshCachedUILanguage,ZwQueryInstallUILanguage,RtlInitUnicodeString,RtlCultureNameToLCID,ZwFlushInstallUILanguage,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,ZwFlushInstallUILanguage,ZwGetMUIRegistryInfo,	0_2_6CD9C620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8620 ZwQuerySection,	0_2_6CDB8620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247D0 ZwWaitHighEventPair,	0_2_6CD247D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247C0 ZwWaitForWorkViaWorkerFactory,	0_2_6CD247C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD607C3 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,EtwEventRegister,EtwEventWrite,EtwNotificationUnregister,ZwRaiseException,	0_2_6CD607C3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD667C0 RtlNewSecurityGrantedAccess,ZwQueryInformationToken,RtlMapGenericMask,ZwPrivilegeCheck,	0_2_6CD667C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247F0 ZwLoadKey3,	0_2_6CD247F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247E0 ZwWaitLowEventPair,	0_2_6CD247E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24790 ZwWaitForAlertByThreadId,	0_2_6CD24790
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24780 ZwVdmControl,	0_2_6CD24780
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD88785 ZwAllocateVirtualMemory,ZwDuplicateObject,ZwWriteVirtualMemory,ZwTerminateThread,ZwClose,ZwFreeVirtualMemory,ZwResumeThread,ZwWaitForSingleObject,ZwClose,ZwReadVirtualMemory,	0_2_6CD88785
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247B0 ZwWaitForKeyedEvent,	0_2_6CD247B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A7B0 RtlDecodeRemotePointer,ZwQueryInformationProcess,	0_2_6CD6A7B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD247A0 ZwWaitForDebugEvent,	0_2_6CD247A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD67BF memset,ZwTerminateProcess,	0_2_6CCD67BF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD947A0 RtlHeapTrkInitialize,ZwMapViewOfSection,ZwQueryPerformanceCounter,RtlCreateHeap,RtlSetHeapInformation,RtlAllocateHeap,RtlAllocateHeap,ZwUnmapViewOfSection,RtlDestroyHeap,ZwUnmapViewOfSection,ZwClose,	0_2_6CD947A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24750 ZwUnmapViewOfSectionEx,	0_2_6CD24750
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA740 ZwClose,RtlFreeHeap,	0_2_6CCDA740
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24740 ZwUnlockVirtualMemory,	0_2_6CD24740
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24770 ZwUpdateWnfStateData,	0_2_6CD24770
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA760 EtwSetMark,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CCDA760
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24760 ZwUnsubscribeWnfStateChange,	0_2_6CD24760
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD10710 RtlAllocateHandle,RtlReAllocateHeap,RtlAllocateHandle,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,	0_2_6CD10710
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24710 ZwUnloadKey2,	0_2_6CD24710
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24700 ZwUnloadKey,	0_2_6CD24700
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66700 RtlNewInstanceSecurityObject,ZwQueryInformationToken,	0_2_6CD66700
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24730 ZwUnlockFile,	0_2_6CD24730
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5C730 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess,	0_2_6CD5C730
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20735 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,	0_2_6CD20735
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24720 ZwUnloadKeyEx,	0_2_6CD24720
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240D0 ZwQueryWnfStateNameInformation,	0_2_6CD240D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD620DE ZwRaiseHardError,	0_2_6CD620DE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA0D1 ZwDeviceIoControlFile,	0_2_6CDBA0D1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD740DA ZwQueryVirtualMemory,	0_2_6CD740DA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E0DF ZwDelayExecution,	0_2_6CD1E0DF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDC0C2 ZwAlertThreadByThreadId,	0_2_6CCDC0C2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240C0 ZwQueryWnfStateData,	0_2_6CD240C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE20DA ZwOpenThreadToken,ZwSetInformationThread,ZwClose,	0_2_6CCE20DA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C0C0 RtlInitUnicodeString,ZwQueryValueKey,	0_2_6CD6C0C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD640C9 ZwTerminateProcess,RtlLeaveCriticalSection,	0_2_6CD640C9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD220F0 RtlPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,RtlPublishWnfStateData,	0_2_6CD220F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240F0 ZwRaiseException,	0_2_6CD240F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240E0 ZwQueueApcThreadEx,	0_2_6CD240E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E0E0 LdrCreateEnclave,ZwCreateEnclave,LdrCreateEnclave,	0_2_6CD5E0E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24090 ZwQuerySystemEnvironmentValueEx,	0_2_6CD24090
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C080 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,	0_2_6CD1C080
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24080 ZwQuerySystemEnvironmentValue,	0_2_6CD24080
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD68080 ZwReadVirtualMemory,	0_2_6CD68080
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1608F ZwOpenKey,ZwCreateKey,	0_2_6CD1608F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA60B8 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CDA60B8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240B0 ZwQueryTimerResolution,	0_2_6CD240B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD740A7 ZwSetInformationFile,	0_2_6CD740A7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD240A0 ZwQuerySystemInformationEx,	0_2_6CD240A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E0A0 DbgUiWaitStateChange,ZwWaitForDebugEvent,	0_2_6CD5E0A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24050 ZwQuerySecurityPolicy,	0_2_6CD24050
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24040 ZwQuerySecurityObject,	0_2_6CD24040
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16045 ZwClose,	0_2_6CD16045
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64043 ZwOpenFile,ZwQueryVirtualMemory,ZwOpenFile,	0_2_6CD64043
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A073 RtlInitUnicodeString,RtlInitAnsiString,RtlAnsiStringToUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,ZwRaiseHardError,RtlRaiseStatus,EtwTraceMessageVa,RtlNtStatusToDosError,	0_2_6CD1A073
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24070 ZwQuerySymbolicLinkObject,	0_2_6CD24070
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E070 DbgUiStopDebugging,ZwRemoveProcessDebug,	0_2_6CD5E070
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06060 RtlCheckTokenMembershipEx,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,RtlSetGroupSecurityDescriptor,RtlCreateAcl,RtlInitializeSidEx,RtlSetDaclSecurityDescriptor,ZwAccessCheck,RtlInitializeSidEx,ZwOpenThreadTokenEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwClose,ZwClose,RtlCheckTokenMembershipEx,	0_2_6CD06060
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24060 ZwQuerySemaphore,	0_2_6CD24060
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A060 RtlOsDeploymentState,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,	0_2_6CD9A060
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24010 ZwQueryPortInformationProcess,	0_2_6CD24010
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24000 ZwQueryOpenSubKeysEx,	0_2_6CD24000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4003 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwSetInformationJobObject,ZwQueryInformationJobObject,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,	0_2_6CDB4003
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24030 ZwQuerySecurityAttributesToken,	0_2_6CD24030
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C03E RtlInitUnicodeString,ZwOpenKey,ZwClose,	0_2_6CD6C03E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24020 ZwQueryQuotaInformationFile,	0_2_6CD24020
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241D0 ZwReplaceKey,	0_2_6CD241D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD801D0 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,	0_2_6CD801D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD941CB ZwQueryVirtualMemory,bsearch_s,	0_2_6CD941CB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241C0 ZwRenameTransactionManager,	0_2_6CD241C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA61C3 RtlAllocateHeap,ZwQueryWnfStateData,ZwUpdateWnfStateData,RtlFreeHeap,	0_2_6CDA61C3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A1C0 RtlQueryValidationRunlevel,ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CD9A1C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB41C0 TpQueryPoolStackInformation,ZwQueryInformationWorkerFactory,	0_2_6CDB41C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CD1C1F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241F0 ZwReplyWaitReplyPort,	0_2_6CD241F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB81F0 ZwQueryVirtualMemory,ZwPssCaptureVaSpaceBulk,ZwQueryVirtualMemory,	0_2_6CDB81F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241E0 ZwReplacePartitionUnit,	0_2_6CD241E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD641E2 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,	0_2_6CD641E2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB61E5 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CDB61E5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24190 ZwRemoveIoCompletionEx,	0_2_6CD24190
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E190 RtlFreeUserStack,ZwFreeVirtualMemory,	0_2_6CD5E190
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6019F RtlGetCurrentServiceSessionId,RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_6CD6019F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE819E ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationObject,ZwSetInformationThread,ZwAdjustPrivilegesToken,ZwSetInformationThread,	0_2_6CCE819E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE419F ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,	0_2_6CCE419F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24180 ZwReleaseWorkerFactoryWorker,	0_2_6CD24180
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20185 ZwQuerySystemInformation,EtwpCreateEtwThread,RtlNtStatusToDosError,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,	0_2_6CD20185
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA197 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,	0_2_6CCDA197
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB6187 ZwSetInformationThread,memset,RtlRaiseException,	0_2_6CDB6187
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241B0 ZwRenameKey,	0_2_6CD241B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA1B6 ZwCreateFile,	0_2_6CDBA1B6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD241A0 ZwRemoveProcessDebug,	0_2_6CD241A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD141A2 ZwAlertThreadByThreadId,	0_2_6CD141A2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24150 ZwRegisterProtocolAddressInformation,	0_2_6CD24150
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0215F ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor,	0_2_6CD0215F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24140 ZwRecoverTransactionManager,	0_2_6CD24140
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD74144 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDetermineDosPathNameType_U,RtlDosPathNameToNtPathName_U,ZwQueryAttributesFile,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_6CD74144
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A140 RtlQueryTokenHostIdAsUlong64,ZwQuerySecurityAttributesToken,	0_2_6CD9A140
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB8142 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwQueryVirtualMemory,	0_2_6CDB8142
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6154 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlAllocateHeap,ZwDuplicateObject,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlWakeConditionVariable,	0_2_6CCE6154
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24170 ZwReleaseKeyedEvent,	0_2_6CD24170
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6417C ZwRaiseHardError,	0_2_6CD6417C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24160 ZwRegisterThreadTerminatePort,	0_2_6CD24160
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22160 RtlCreateUserStack,RtlImageNtHeader,ZwSetInformationProcess,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlFreeUserStack,RtlCreateUserStack,RtlCreateUserStack,RtlCreateUserStack,	0_2_6CD22160
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA160 RtlGetNtSystemRoot,ZwClose,	0_2_6CDBA160
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24110 ZwReadOnlyEnlistment,	0_2_6CD24110
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A11F ZwClose,	0_2_6CD9A11F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2102 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,	0_2_6CCE2102
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24100 ZwRaiseHardError,	0_2_6CD24100
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD74104 ZwQueryInformationFile,	0_2_6CD74104
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8E10E ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFreeHeap,RtlGetDaclSecurityDescriptor,RtlGetOwnerSecurityDescriptor,RtlEqualSid,RtlGetAce,RtlEqualSid,ZwSetSecurityObject,RtlSelfRelativeToAbsoluteSD2,RtlAllocateHeap,memcpy,RtlFreeHeap,RtlSelfRelativeToAbsoluteSD2,RtlFreeHeap,RtlSetOwnerSecurityDescriptor,RtlSetDaclSecurityDescriptor,RtlMakeSelfRelativeSD,RtlAllocateHeap,RtlMakeSelfRelativeSD,RtlFreeHeap,ZwSetSecurityObject,RtlFreeHeap,	0_2_6CD8E10E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD68100 RtlSetProcessDebugInformation,ZwUnmapViewOfSection,RtlExitUserThread,	0_2_6CD68100
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C137 ZwQueryVirtualMemory,ZwQuerySystemInformation,ZwAllocateVirtualMemory,ZwProtectVirtualMemory,	0_2_6CD6C137
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24130 ZwRecoverResourceManager,	0_2_6CD24130
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6013A ZwOpenKeyEx,ZwClose,	0_2_6CD6013A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24120 ZwRecoverEnlistment,	0_2_6CD24120
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD242D0 ZwSaveMergedKeys,	0_2_6CD242D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB62D6 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CDB62D6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD242C0 ZwSaveKeyEx,	0_2_6CD242C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD622C5 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CD622C5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD702C0 RtlQueryImageMitigationPolicy,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,ZwOpenKey,ZwQueryValueKey,ZwClose,memcpy,RtlQueryImageMitigationPolicy,	0_2_6CD702C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD942F9 ZwQueryVirtualMemory,ZwQueryVirtualMemory,RtlImageDirectoryEntryToData,	0_2_6CD942F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD242F0 ZwSerializeBoot,	0_2_6CD242F0

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD22AE0: ZwDeviceIoControlFile,

0_2_6CD22AE0

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD246F0 ZwUnloadDriver,

0_2_6CD246F0

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401355	0_2_00401355
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_004013DD	0_2_004013DD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00401909	0_2_00401909
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0CF2	0_2_6CCE0CF2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0C00	0_2_6CCF0C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF8DC0	0_2_6CCF8DC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08DBF	0_2_6CD08DBF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8CD1F	0_2_6CD8CD1F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFAD00	0_2_6CCFAD00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAEEDB	0_2_6CDAEEDB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDACE93	0_2_6CDACE93
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0E59	0_2_6CCF0E59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAEE26	0_2_6CDAEE26
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2FC8	0_2_6CCE2FC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6EFA0	0_2_6CD6EFA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64F40	0_2_6CD64F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD10F30	0_2_6CD10F30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD92F30	0_2_6CD92F30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD32F28	0_2_6CD32F28
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E8F0	0_2_6CD1E8F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD28890	0_2_6CD28890
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD68B8	0_2_6CCD68B8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFA840	0_2_6CCFA840
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9C87C	0_2_6CD9C87C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBA9A6	0_2_6CDBA9A6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06962	0_2_6CD06962
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA6BD7	0_2_6CDA6BD7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAEB89	0_2_6CDAEB89
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAAB40	0_2_6CDAAB40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9E4F6	0_2_6CD9E4F6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA2446	0_2_6CDA2446
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94420	0_2_6CD94420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB0591	0_2_6CDB0591
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0C6E0	0_2_6CD0C6E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14750	0_2_6CD14750
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA81CC	0_2_6CDA81CC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB01AA	0_2_6CDB01AA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA41A2	0_2_6CDA41A2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD78158	0_2_6CD78158
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8A118	0_2_6CD8A118
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0100	0_2_6CCE0100
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD702C0	0_2_6CD702C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90274	0_2_6CD90274
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB03E6	0_2_6CDB03E6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFE3F0	0_2_6CCFE3F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAFCF2	0_2_6CDAFCF2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD69C32	0_2_6CD69C32
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD09C20	0_2_6CD09C20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0FDC0	0_2_6CD0FDC0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA1D5A	0_2_6CDA1D5A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA7D73	0_2_6CDA7D73
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF9EB0	0_2_6CCF9EB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCB3FD2	0_2_6CCB3FD2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCB3FD5	0_2_6CCB3FD5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF1F92	0_2_6CCF1F92
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAFFB1	0_2_6CDAFFB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAFF09	0_2_6CDAFF09
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF38E0	0_2_6CCF38E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5D800	0_2_6CD5D800
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF5990	0_2_6CCF5990
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0B950	0_2_6CD0B950
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD85910	0_2_6CD85910
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9DAC6	0_2_6CD9DAC6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD35AA0	0_2_6CD35AA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8DAAC	0_2_6CD8DAAC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD91AA3	0_2_6CD91AA3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAFA49	0_2_6CDAFA49
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA7A46	0_2_6CDA7A46
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD63A6C	0_2_6CD63A6C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD65BF0	0_2_6CD65BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2DBF9	0_2_6CD2DBF9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0FB80	0_2_6CD0FB80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAFB76	0_2_6CDAFB76
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE1460	0_2_6CCE1460
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAF43F	0_2_6CDAF43F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB95C3	0_2_6CDB95C3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8D5B0	0_2_6CD8D5B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA7571	0_2_6CDA7571
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA16CC	0_2_6CDA16CC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD35630	0_2_6CD35630
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE17EC	0_2_6CCE17EC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD797EA	0_2_6CD797EA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAF7B0	0_2_6CDAF7B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8D710	0_2_6CD8D710
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9F0CC	0_2_6CD9F0CC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA70E9	0_2_6CDA70E9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAF0E0	0_2_6CDAF0E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFB1B0	0_2_6CCFB1B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDBB16B	0_2_6CDBB16B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2516C	0_2_6CD2516C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDF172	0_2_6CCDF172
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0B2C0	0_2_6CD0B2C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0D2F0	0_2_6CD0D2F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD912ED	0_2_6CD912ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF52A0	0_2_6CCF52A0
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_00413F5F	4_2_00413F5F
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_004158FC	4_2_004158FC
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_00413A1B	4_2_00413A1B
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_004144A3	4_2_004144A3

Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CD6F290 appears 103 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CCF25B0 appears 31 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CD37EB0 appears 34 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CD37E54 appears 143 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CCDB970 appears 244 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CD25130 appears 51 times
Source: C:\Users\user\Desktop\0di3x.exe	Code function: String function: 6CD5EA12 appears 78 times

Source: 2F6.tmp.0.dr

Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: 2F6.tmp.0.dr

Static PE information: No import functions for PE file found

Source: 0di3x.exe, 00000000.00000002.2160738883.000000006CDDD000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs 0di3x.exe

Source: 0di3x.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2159821605.0000000003060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2159975048.000000000308D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2433888025.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2160234942.0000000004C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2434138713.0000000004BF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2434201803.0000000004D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2434075847.000000000326E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2160155593.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: 0di3x.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vugfefw.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2F6.tmp.0.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/3@437/0

Source: C:\Users\user\Desktop\0di3x.exe	Code function: RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,		0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: RtlCreateServiceSid,RtlUpcaseUnicodeString,A_SHAInit,A_SHAUpdate,A_SHAFinal,RtlFreeUnicodeString,RtlInitializeSid,RtlCreateServiceSid,		0_2_6CCDC230

Source: C:\Users\user\AppData\Roaming\vugfefw

Code function: 4_2_0326EF7E CreateToolhelp32Snapshot,Module32First,

4_2_0326EF7E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vugfefw

Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

File created: C:\Users\user\AppData\Local\Temp\2F6.tmp

Jump to behavior

Source: 0di3x.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0di3x.exe	Virustotal: Detection: 77%
Source: 0di3x.exe	ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\0di3x.exe "C:\Users\user\Desktop\0di3x.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vugfefw C:\Users\user\AppData\Roaming\vugfefw

Source: C:\Users\user\Desktop\0di3x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 0di3x.exe, 00000000.00000002.2160432184.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, vugfefw, 00000004.00000002.2434286704.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, 2F6.tmp.0.dr
Source:	Binary string: wntdll.pdb source: 0di3x.exe, 0di3x.exe, 00000000.00000002.2160432184.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, vugfefw, 00000004.00000002.2434286704.000000006CCB1000.00000020.00000001.01000000.00000004.sdmp, 2F6.tmp.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\0di3x.exe	Unpacked PE file: 0.2.0di3x.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vugfefw	Unpacked PE file: 4.2.vugfefw.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: 2F6.tmp.0.dr	Static PE information: section name: RT
Source: 2F6.tmp.0.dr	Static PE information: section name: .mrdata
Source: 2F6.tmp.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402C45 push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_0040634F push ebx; retf	0_2_00406358
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00405756 push ebp; iretd	0_2_00405757
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402C68 push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00405F01 push edi; ret	0_2_00405F02
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00403E02 push ecx; ret	0_2_00403E03
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00405F09 push edi; ret	0_2_00405F0A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402C14 push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402C1B push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00404D39 push ebp; ret	0_2_00404D3C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_004045C3 push ecx; retf	0_2_004045C4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402BD9 push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_00402BE6 push eax; ret	0_2_00402C90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCB283D push eax; iretd	0_2_6CCB2858
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE09AD push ecx; mov dword ptr [esp], ecx	0_2_6CCE09B6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCB27FA pushad ; ret	0_2_6CCB27F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCB225F pushad ; ret	0_2_6CCB27F9
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_00412988 push eax; ret	4_2_004129A6
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_030A4613 push ecx; retf	4_2_030A4614
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_030A3E52 push ecx; ret	4_2_030A3E53
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_030A4D89 push ebp; ret	4_2_030A4D8C
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_030A57A6 push ebp; iretd	4_2_030A57A7
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_03272828 push ecx; retf	4_2_03272829
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_03272060 push ecx; ret	4_2_03272061
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_03272FA8 push ebp; ret	4_2_03272FAB
Source: C:\Users\user\AppData\Roaming\vugfefw	Code function: 4_2_032739CF push ebp; iretd	4_2_032739D0

Source: 0di3x.exe	Static PE information: section name: .text entropy: 7.537290603747341
Source: 2F6.tmp.0.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: vugfefw.2.dr	Static PE information: section name: .text entropy: 7.537290603747341

Source: C:\Users\user\Desktop\0di3x.exe	File created: C:\Users\user\AppData\Local\Temp\2F6.tmp			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vugfefw			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vugfefw

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\Desktop\0di3x.exe	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\2F6.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Roaming\vugfefw	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\2F6.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\0di3x.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vugfefw:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\0di3x.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\0di3x.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\vugfefw	API/Special instruction interceptor: Address: 7FF8C88EE814

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vugfefw, 00000004.00000002.2434011746.000000000325E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CCE28F0 rdtsc

0_2_6CCE28F0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 399	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1379	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 835	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3332	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2F6.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\0di3x.exe

API coverage: 0.2 %

Source: C:\Windows\explorer.exe TID: 6788	Thread sleep count: 399 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep count: 1379 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -137900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3396	Thread sleep count: 835 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3396	Thread sleep time: -83500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1272	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1784	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6332	Thread sleep count: 290 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep count: 3332 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -333200s >= -30000s	Jump to behavior

Source: explorer.exe, 00000002.00000000.2143084656.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000002.00000000.2144986139.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000000.2142001036.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.2142001036.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2140801063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000002.00000000.2143084656.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.2142001036.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2142001036.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000002.00000000.2140801063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2143084656.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\0di3x.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\0di3x.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CCE28F0 rdtsc

0_2_6CCE28F0

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD22C0A NtQueryInformationProcess,LdrInitializeThunk,

0_2_6CD22C0A

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD66FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,

0_2_6CD66FE0

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCCC8 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCCC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8CD0 mov eax, dword ptr fs:[00000030h]	0_2_6CCD8CD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD12CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD12CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD12CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD12CF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8C8D mov eax, dword ptr fs:[00000030h]	0_2_6CCD8C8D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08CB1 mov eax, dword ptr fs:[00000030h]	0_2_6CD08CB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08CB1 mov eax, dword ptr fs:[00000030h]	0_2_6CD08CB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CD90CB5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CCA0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD5CCA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14C59 mov eax, dword ptr fs:[00000030h]	0_2_6CD14C59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CCEAC50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6C50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6C50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6C50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AC60 mov eax, dword ptr fs:[00000030h]	0_2_6CD7AC60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AC60 mov eax, dword ptr fs:[00000030h]	0_2_6CD7AC60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CCF0C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CCF0C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CCF0C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CCF0C00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CC00 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CC00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64C0F mov eax, dword ptr fs:[00000030h]	0_2_6CD64C0F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84C34 mov ecx, dword ptr fs:[00000030h]	0_2_6CD84C34
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEC20 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEC20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7CC20 mov eax, dword ptr fs:[00000030h]	0_2_6CD7CC20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7CC20 mov eax, dword ptr fs:[00000030h]	0_2_6CD7CC20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64DD7 mov eax, dword ptr fs:[00000030h]	0_2_6CD64DD7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64DD7 mov eax, dword ptr fs:[00000030h]	0_2_6CD64DD7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EDD3 mov eax, dword ptr fs:[00000030h]	0_2_6CD0EDD3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EDD3 mov eax, dword ptr fs:[00000030h]	0_2_6CD0EDD3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0CDF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD0CDF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0CDF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD0CDF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCDEA mov eax, dword ptr fs:[00000030h]	0_2_6CCDCDEA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCDEA mov eax, dword ptr fs:[00000030h]	0_2_6CCDCDEA
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80DF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD80DF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80DF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD80DF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00DE1 mov eax, dword ptr fs:[00000030h]	0_2_6CD00DE1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD6DF6 mov eax, dword ptr fs:[00000030h]	0_2_6CCD6DF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CDB1 mov ecx, dword ptr fs:[00000030h]	0_2_6CD1CDB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CDB1 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CDB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CDB1 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CDB1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08DBF mov eax, dword ptr fs:[00000030h]	0_2_6CD08DBF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD08DBF mov eax, dword ptr fs:[00000030h]	0_2_6CD08DBF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16DA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD16DA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA8DAE mov eax, dword ptr fs:[00000030h]	0_2_6CDA8DAE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA8DAE mov eax, dword ptr fs:[00000030h]	0_2_6CDA8DAE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4DAD mov eax, dword ptr fs:[00000030h]	0_2_6CDB4DAD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8D59
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD78D6B mov eax, dword ptr fs:[00000030h]	0_2_6CD78D6B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD98D10 mov eax, dword ptr fs:[00000030h]	0_2_6CD98D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD98D10 mov eax, dword ptr fs:[00000030h]	0_2_6CD98D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14D1D mov eax, dword ptr fs:[00000030h]	0_2_6CD14D1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CCFAD00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CCFAD00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CCFAD00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CCD6D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CCD6D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CCD6D10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4D30 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4D30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD68D20 mov eax, dword ptr fs:[00000030h]	0_2_6CD68D20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96ED0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD96ED0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18EF5 mov eax, dword ptr fs:[00000030h]	0_2_6CD18EF5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6EE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6EE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6EE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6EE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12E9C mov eax, dword ptr fs:[00000030h]	0_2_6CD12E9C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12E9C mov ecx, dword ptr fs:[00000030h]	0_2_6CD12E9C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CCDAE90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CCDAE90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CCDAE90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AEB0 mov eax, dword ptr fs:[00000030h]	0_2_6CD7AEB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7AEB0 mov eax, dword ptr fs:[00000030h]	0_2_6CD7AEB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96EB0 mov eax, dword ptr fs:[00000030h]	0_2_6CD96EB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6CEA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6CEA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6CEA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2E4F mov eax, dword ptr fs:[00000030h]	0_2_6CDB2E4F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2E4F mov eax, dword ptr fs:[00000030h]	0_2_6CDB2E4F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEE5A mov eax, dword ptr fs:[00000030h]	0_2_6CCDEE5A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CD60E7F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CD60E7F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CD60E7F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6E71 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6E71
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18E1A mov eax, dword ptr fs:[00000030h]	0_2_6CD18E1A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8E1D mov eax, dword ptr fs:[00000030h]	0_2_6CCD8E1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov ecx, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AE00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14E30 mov eax, dword ptr fs:[00000030h]	0_2_6CD14E30
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76E20 mov eax, dword ptr fs:[00000030h]	0_2_6CD76E20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76E20 mov eax, dword ptr fs:[00000030h]	0_2_6CD76E20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76E20 mov ecx, dword ptr fs:[00000030h]	0_2_6CD76E20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2FC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2FC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2FC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2FC8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEFD8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEFD8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEFD8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CD20FF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CD20FF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CD20FF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CD20FF6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96FF7 mov eax, dword ptr fs:[00000030h]	0_2_6CD96FF7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFCFE0 mov eax, dword ptr fs:[00000030h]	0_2_6CCFCFE0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4FE7 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4FE7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8FF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CCD8FF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8FF0 mov eax, dword ptr fs:[00000030h]	0_2_6CCD8FF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12F98 mov eax, dword ptr fs:[00000030h]	0_2_6CD12F98
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12F98 mov eax, dword ptr fs:[00000030h]	0_2_6CD12F98
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CF80 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CF80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CF50 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD80F50 mov eax, dword ptr fs:[00000030h]	0_2_6CD80F50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CD64F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CD64F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CD64F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CD64F40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84F42 mov eax, dword ptr fs:[00000030h]	0_2_6CD84F42
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CCDCF50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16F60 mov eax, dword ptr fs:[00000030h]	0_2_6CD16F60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16F60 mov eax, dword ptr fs:[00000030h]	0_2_6CD16F60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4F68 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4F68
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82F60 mov eax, dword ptr fs:[00000030h]	0_2_6CD82F60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82F60 mov eax, dword ptr fs:[00000030h]	0_2_6CD82F60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AF69 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AF69
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0AF69 mov eax, dword ptr fs:[00000030h]	0_2_6CD0AF69
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD24F10 mov eax, dword ptr fs:[00000030h]	0_2_6CD24F10
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CF1F mov eax, dword ptr fs:[00000030h]	0_2_6CD1CF1F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD96F00 mov eax, dword ptr fs:[00000030h]	0_2_6CD96F00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2F12 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2F12
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EF28 mov eax, dword ptr fs:[00000030h]	0_2_6CD0EF28
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E8C0 mov eax, dword ptr fs:[00000030h]	0_2_6CD0E8C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB08C0 mov eax, dword ptr fs:[00000030h]	0_2_6CDB08C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C8F9 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C8F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C8F9 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C8F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE28F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAA8E4 mov eax, dword ptr fs:[00000030h]	0_2_6CDAA8E4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0887 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0887
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C89D mov eax, dword ptr fs:[00000030h]	0_2_6CD6C89D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD10854 mov eax, dword ptr fs:[00000030h]	0_2_6CD10854
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE4859 mov eax, dword ptr fs:[00000030h]	0_2_6CCE4859
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE4859 mov eax, dword ptr fs:[00000030h]	0_2_6CCE4859
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E872 mov eax, dword ptr fs:[00000030h]	0_2_6CD6E872
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E872 mov eax, dword ptr fs:[00000030h]	0_2_6CD6E872
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76870 mov eax, dword ptr fs:[00000030h]	0_2_6CD76870
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76870 mov eax, dword ptr fs:[00000030h]	0_2_6CD76870
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C810 mov eax, dword ptr fs:[00000030h]	0_2_6CD6C810
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A830 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A830
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8483A mov eax, dword ptr fs:[00000030h]	0_2_6CD8483A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8483A mov eax, dword ptr fs:[00000030h]	0_2_6CD8483A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov eax, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov eax, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov eax, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov ecx, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov eax, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD02835 mov eax, dword ptr fs:[00000030h]	0_2_6CD02835
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD149D0 mov eax, dword ptr fs:[00000030h]	0_2_6CD149D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAA9D3 mov eax, dword ptr fs:[00000030h]	0_2_6CDAA9D3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD769C0 mov eax, dword ptr fs:[00000030h]	0_2_6CD769C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCEA9D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD129F9 mov eax, dword ptr fs:[00000030h]	0_2_6CD129F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD129F9 mov eax, dword ptr fs:[00000030h]	0_2_6CD129F9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E9E0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6E9E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE09AD mov eax, dword ptr fs:[00000030h]	0_2_6CCE09AD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE09AD mov eax, dword ptr fs:[00000030h]	0_2_6CCE09AD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD689B3 mov esi, dword ptr fs:[00000030h]	0_2_6CD689B3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD689B3 mov eax, dword ptr fs:[00000030h]	0_2_6CD689B3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD689B3 mov eax, dword ptr fs:[00000030h]	0_2_6CD689B3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCF29A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A950 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A950
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD60946 mov eax, dword ptr fs:[00000030h]	0_2_6CD60946
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4940 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4940
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84978 mov eax, dword ptr fs:[00000030h]	0_2_6CD84978
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD84978 mov eax, dword ptr fs:[00000030h]	0_2_6CD84978
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C970 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C970
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C970 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C970
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C97C mov eax, dword ptr fs:[00000030h]	0_2_6CD6C97C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06962 mov eax, dword ptr fs:[00000030h]	0_2_6CD06962
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06962 mov eax, dword ptr fs:[00000030h]	0_2_6CD06962
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD06962 mov eax, dword ptr fs:[00000030h]	0_2_6CD06962
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2096E mov eax, dword ptr fs:[00000030h]	0_2_6CD2096E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2096E mov edx, dword ptr fs:[00000030h]	0_2_6CD2096E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2096E mov eax, dword ptr fs:[00000030h]	0_2_6CD2096E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C912 mov eax, dword ptr fs:[00000030h]	0_2_6CD6C912
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8918 mov eax, dword ptr fs:[00000030h]	0_2_6CCD8918
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8918 mov eax, dword ptr fs:[00000030h]	0_2_6CCD8918
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E908 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E908
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E908 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E908
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6892A mov eax, dword ptr fs:[00000030h]	0_2_6CD6892A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD7892B mov eax, dword ptr fs:[00000030h]	0_2_6CD7892B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CD14AD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CD14AD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0AD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CD36ACC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CD36ACC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CD36ACC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1AAEE mov eax, dword ptr fs:[00000030h]	0_2_6CD1AAEE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1AAEE mov eax, dword ptr fs:[00000030h]	0_2_6CD1AAEE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18A90 mov edx, dword ptr fs:[00000030h]	0_2_6CD18A90
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCDEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CCEEA80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4A80 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4A80
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8AA0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8AA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8AA0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8AA0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD36AA4 mov eax, dword ptr fs:[00000030h]	0_2_6CD36AA4
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD10A50 mov eax, dword ptr fs:[00000030h]	0_2_6CD10A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0A5B mov eax, dword ptr fs:[00000030h]	0_2_6CCF0A5B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0A5B mov eax, dword ptr fs:[00000030h]	0_2_6CCF0A5B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CCE6A50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CA72 mov eax, dword ptr fs:[00000030h]	0_2_6CD5CA72
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5CA72 mov eax, dword ptr fs:[00000030h]	0_2_6CD5CA72
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8EA60 mov eax, dword ptr fs:[00000030h]	0_2_6CD8EA60
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CD1CA6F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CD1CA6F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CD1CA6F
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CA11 mov eax, dword ptr fs:[00000030h]	0_2_6CD6CA11
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD04A35 mov eax, dword ptr fs:[00000030h]	0_2_6CD04A35
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD04A35 mov eax, dword ptr fs:[00000030h]	0_2_6CD04A35
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CA38 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CA38
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1CA24 mov eax, dword ptr fs:[00000030h]	0_2_6CD1CA24
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EA2E mov eax, dword ptr fs:[00000030h]	0_2_6CD0EA2E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CCE0BCD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CCE0BCD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CCE0BCD
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8EBD0 mov eax, dword ptr fs:[00000030h]	0_2_6CD8EBD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CD00BCB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CD00BCB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CD00BCB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18BF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD18BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD18BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD18BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6CBF0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6CBF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EBFC mov eax, dword ptr fs:[00000030h]	0_2_6CD0EBFC
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8BF0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94BB0 mov eax, dword ptr fs:[00000030h]	0_2_6CD94BB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94BB0 mov eax, dword ptr fs:[00000030h]	0_2_6CD94BB0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0BBE mov eax, dword ptr fs:[00000030h]	0_2_6CCF0BBE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF0BBE mov eax, dword ptr fs:[00000030h]	0_2_6CCF0BBE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8EB50 mov eax, dword ptr fs:[00000030h]	0_2_6CD8EB50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CDB2B57
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CDB2B57
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CDB2B57
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CDB2B57
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94B4B mov eax, dword ptr fs:[00000030h]	0_2_6CD94B4B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD94B4B mov eax, dword ptr fs:[00000030h]	0_2_6CD94B4B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76B40 mov eax, dword ptr fs:[00000030h]	0_2_6CD76B40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76B40 mov eax, dword ptr fs:[00000030h]	0_2_6CD76B40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD88B42 mov eax, dword ptr fs:[00000030h]	0_2_6CD88B42
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDAAB40 mov eax, dword ptr fs:[00000030h]	0_2_6CDAAB40
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD8B50 mov eax, dword ptr fs:[00000030h]	0_2_6CCD8B50
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDCB7E mov eax, dword ptr fs:[00000030h]	0_2_6CCDCB7E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CD5EB1D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4B00 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4B00
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EB20 mov eax, dword ptr fs:[00000030h]	0_2_6CD0EB20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0EB20 mov eax, dword ptr fs:[00000030h]	0_2_6CD0EB20
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE04E5 mov ecx, dword ptr fs:[00000030h]	0_2_6CCE04E5
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A49A mov eax, dword ptr fs:[00000030h]	0_2_6CD9A49A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD144B0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD144B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE64AB mov eax, dword ptr fs:[00000030h]	0_2_6CCE64AB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6A4B0 mov eax, dword ptr fs:[00000030h]	0_2_6CD6A4B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0245A mov eax, dword ptr fs:[00000030h]	0_2_6CD0245A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD9A456 mov eax, dword ptr fs:[00000030h]	0_2_6CD9A456
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD645D mov eax, dword ptr fs:[00000030h]	0_2_6CCD645D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CD1E443
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CD0A470
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CD0A470
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CD0A470
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6C460 mov ecx, dword ptr fs:[00000030h]	0_2_6CD6C460
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18402 mov eax, dword ptr fs:[00000030h]	0_2_6CD18402
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18402 mov eax, dword ptr fs:[00000030h]	0_2_6CD18402
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18402 mov eax, dword ptr fs:[00000030h]	0_2_6CD18402
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A430 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A430
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDC427 mov eax, dword ptr fs:[00000030h]	0_2_6CCDC427
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CCDE420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CCDE420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CCDE420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66420 mov eax, dword ptr fs:[00000030h]	0_2_6CD66420
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A5D0 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A5D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A5D0 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A5D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E5CF mov eax, dword ptr fs:[00000030h]	0_2_6CD1E5CF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E5CF mov eax, dword ptr fs:[00000030h]	0_2_6CD1E5CF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE65D0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE65D0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE25E0 mov eax, dword ptr fs:[00000030h]	0_2_6CCE25E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C5ED mov eax, dword ptr fs:[00000030h]	0_2_6CD1C5ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C5ED mov eax, dword ptr fs:[00000030h]	0_2_6CD1C5ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2582 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2582
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2582 mov ecx, dword ptr fs:[00000030h]	0_2_6CCE2582
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA580 mov ecx, dword ptr fs:[00000030h]	0_2_6CCDA580
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA580 mov eax, dword ptr fs:[00000030h]	0_2_6CCDA580
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1E59C mov eax, dword ptr fs:[00000030h]	0_2_6CD1E59C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD14588 mov eax, dword ptr fs:[00000030h]	0_2_6CD14588
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD045B1 mov eax, dword ptr fs:[00000030h]	0_2_6CD045B1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD045B1 mov eax, dword ptr fs:[00000030h]	0_2_6CD045B1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8550 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8550
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8550 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8550
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD76500 mov eax, dword ptr fs:[00000030h]	0_2_6CD76500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CDB4500
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CD0E53E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CD0E53E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CD0E53E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CD0E53E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CD0E53E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A6C7 mov ebx, dword ptr fs:[00000030h]	0_2_6CD1A6C7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A6C7 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A6C7
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E6F2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E6F2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E6F2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E6F2
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD606F1 mov eax, dword ptr fs:[00000030h]	0_2_6CD606F1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD606F1 mov eax, dword ptr fs:[00000030h]	0_2_6CD606F1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE4690 mov eax, dword ptr fs:[00000030h]	0_2_6CCE4690
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE4690 mov eax, dword ptr fs:[00000030h]	0_2_6CCE4690
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD166B0 mov eax, dword ptr fs:[00000030h]	0_2_6CD166B0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C6A6 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C6A6
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFC640 mov eax, dword ptr fs:[00000030h]	0_2_6CCFC640
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD12674 mov eax, dword ptr fs:[00000030h]	0_2_6CD12674
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A660 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A660
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A660 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A660
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCF260B mov eax, dword ptr fs:[00000030h]	0_2_6CCF260B
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22619 mov eax, dword ptr fs:[00000030h]	0_2_6CD22619
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5E609 mov eax, dword ptr fs:[00000030h]	0_2_6CD5E609
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE262C mov eax, dword ptr fs:[00000030h]	0_2_6CCE262C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCFE627 mov eax, dword ptr fs:[00000030h]	0_2_6CCFE627
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD16620 mov eax, dword ptr fs:[00000030h]	0_2_6CD16620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD18620 mov eax, dword ptr fs:[00000030h]	0_2_6CD18620
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD067C0 mov eax, dword ptr fs:[00000030h]	0_2_6CD067C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD067C0 mov eax, dword ptr fs:[00000030h]	0_2_6CD067C0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD607C3 mov eax, dword ptr fs:[00000030h]	0_2_6CD607C3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C7F0 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C7F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE47FB mov eax, dword ptr fs:[00000030h]	0_2_6CCE47FB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE47FB mov eax, dword ptr fs:[00000030h]	0_2_6CCE47FB
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E7E1 mov eax, dword ptr fs:[00000030h]	0_2_6CD6E7E1
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD027ED mov eax, dword ptr fs:[00000030h]	0_2_6CD027ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD027ED mov eax, dword ptr fs:[00000030h]	0_2_6CD027ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD027ED mov eax, dword ptr fs:[00000030h]	0_2_6CD027ED
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD8678E mov eax, dword ptr fs:[00000030h]	0_2_6CD8678E
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE07AF mov eax, dword ptr fs:[00000030h]	0_2_6CCE07AF
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD947A0 mov eax, dword ptr fs:[00000030h]	0_2_6CD947A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22750 mov eax, dword ptr fs:[00000030h]	0_2_6CD22750
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD22750 mov eax, dword ptr fs:[00000030h]	0_2_6CD22750
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64755 mov eax, dword ptr fs:[00000030h]	0_2_6CD64755
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD6E75D mov eax, dword ptr fs:[00000030h]	0_2_6CD6E75D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA740 mov eax, dword ptr fs:[00000030h]	0_2_6CCDA740
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1674D mov esi, dword ptr fs:[00000030h]	0_2_6CD1674D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1674D mov eax, dword ptr fs:[00000030h]	0_2_6CD1674D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1674D mov eax, dword ptr fs:[00000030h]	0_2_6CD1674D
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0750 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0750
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE8770 mov eax, dword ptr fs:[00000030h]	0_2_6CCE8770
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD10710 mov eax, dword ptr fs:[00000030h]	0_2_6CD10710
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C700 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C700
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0710 mov eax, dword ptr fs:[00000030h]	0_2_6CCE0710
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD5C730 mov eax, dword ptr fs:[00000030h]	0_2_6CD5C730
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1273C mov eax, dword ptr fs:[00000030h]	0_2_6CD1273C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1273C mov ecx, dword ptr fs:[00000030h]	0_2_6CD1273C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1273C mov eax, dword ptr fs:[00000030h]	0_2_6CD1273C
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C720 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C720
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C720 mov eax, dword ptr fs:[00000030h]	0_2_6CD1C720
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD620DE mov eax, dword ptr fs:[00000030h]	0_2_6CD620DE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD220F0 mov ecx, dword ptr fs:[00000030h]	0_2_6CD220F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE80E9 mov eax, dword ptr fs:[00000030h]	0_2_6CCE80E9
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDA0E3 mov ecx, dword ptr fs:[00000030h]	0_2_6CCDA0E3
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD660E0 mov eax, dword ptr fs:[00000030h]	0_2_6CD660E0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDC0F0 mov eax, dword ptr fs:[00000030h]	0_2_6CCDC0F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE208A mov eax, dword ptr fs:[00000030h]	0_2_6CCE208A
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA60B8 mov eax, dword ptr fs:[00000030h]	0_2_6CDA60B8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CDA60B8 mov ecx, dword ptr fs:[00000030h]	0_2_6CDA60B8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCD80A0 mov eax, dword ptr fs:[00000030h]	0_2_6CCD80A0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD780A8 mov eax, dword ptr fs:[00000030h]	0_2_6CD780A8
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD66050 mov eax, dword ptr fs:[00000030h]	0_2_6CD66050
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE2050 mov eax, dword ptr fs:[00000030h]	0_2_6CCE2050
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD0C073 mov eax, dword ptr fs:[00000030h]	0_2_6CD0C073
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1A060 mov eax, dword ptr fs:[00000030h]	0_2_6CD1A060
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD64000 mov ecx, dword ptr fs:[00000030h]	0_2_6CD64000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD82000 mov eax, dword ptr fs:[00000030h]	0_2_6CD82000

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD86F80 RtlGetProcessHeaps,RtlDebugPrintTimes,

0_2_6CD86F80

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD1C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,		0_2_6CD1C1F0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCDB120 RtlAddVectoredExceptionHandler,		0_2_6CCDB120

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vugfefw.2.dr

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\0di3x.exe	Thread created: C:\Windows\explorer.exe EIP: 1101C28			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Thread created: unknown EIP: 8851C28			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\0di3x.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\0di3x.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vugfefw	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD76500 RtlAllocateAndInitializeSidEx,RtlAllocateHeap,

0_2_6CD76500

Source: explorer.exe, 00000002.00000000.2144986139.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2141408857.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2142913767.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2141408857.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2141408857.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2141408857.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2140801063.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD235D0 ZwCreateNamedPipeFile,

0_2_6CD235D0

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD0BC20 RtlGetSystemTimePrecise,RtlQueryPerformanceCounter,_allshl,RtlGetSystemTimePrecise,

0_2_6CD0BC20

Source: C:\Users\user\Desktop\0di3x.exe

Code function: 0_2_6CD94420 RtlVerifyVersionInfo,memset,RtlGetVersion,

0_2_6CD94420

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.0di3x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.3060e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0di3x.exe.4be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vugfefw.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089030567.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2432729228.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2381448976.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2158409318.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.0di3x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.3060e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0di3x.exe.4be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vugfefw.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0di3x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vugfefw.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089030567.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2432729228.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2381448976.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2158409318.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2EC72 __raise_exc,WinSqmStartSqmOptinListener,	0_2_6CD2EC72
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CCE0770 WinSqmStartSqmOptinListener,	0_2_6CCE0770
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2DEAE WinSqmStartSqmOptinListener,	0_2_6CD2DEAE
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD23AD0 ZwListenPort,	0_2_6CD23AD0
Source: C:\Users\user\Desktop\0di3x.exe	Code function: 0_2_6CD2D492 WinSqmStartSqmOptinListener,WinSqmStartSqmOptinListener,_errno,WinSqmStartSqmOptinListener,_errno,	0_2_6CD2D492

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Windows Service	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 DLL Side-Loading	23 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	541 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	23 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0di3x.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
0di3x.exe