Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2019-09-02_22-41-10.exe

Overview

General Information

Sample name:2019-09-02_22-41-10.exe
Analysis ID:1597239
MD5:924aa6c26f6f43e0893a40728eac3b32
SHA1:baa9b4c895b09d315ed747b3bd087f4583aa84fc
SHA256:30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
Tags:exeuser-MrMalware
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
DLL reload attack detected
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execute Scriptlet Via Regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)
Contains functionality to inject code into remote processes
Creates processes via WMI
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)
Contains functionality to communicate with device drivers
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2019-09-02_22-41-10.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\2019-09-02_22-41-10.exe" MD5: 924AA6C26F6F43E0893A40728EAC3B32)
    • 2019-09-02_22-41-10.exe (PID: 4308 cmdline: "C:\Users\user\Desktop\2019-09-02_22-41-10.exe" MD5: 924AA6C26F6F43E0893A40728EAC3B32)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WerFault.exe (PID: 2336 cmdline: C:\Windows\system32\WerFault.exe -u -p 2580 -s 10488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • regsvr32.exe (PID: 180 cmdline: C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • tjhvihc (PID: 5288 cmdline: C:/Users/user/AppData/Roaming/tjhvihc MD5: 924AA6C26F6F43E0893A40728EAC3B32)
      • tjhvihc (PID: 6032 cmdline: C:/Users/user/AppData/Roaming/tjhvihc MD5: 924AA6C26F6F43E0893A40728EAC3B32)
        • explorer.exe (PID: 2852 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
          • WerFault.exe (PID: 2604 cmdline: C:\Windows\system32\WerFault.exe -u -p 2852 -s 7452 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 3656 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 4212 cmdline: C:\Windows\system32\WerFault.exe -u -p 3656 -s 7880 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 3680 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 4848 cmdline: C:\Windows\system32\WerFault.exe -u -p 3680 -s 6824 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 3580 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 2756 cmdline: C:\Windows\system32\WerFault.exe -u -p 3580 -s 3364 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 4332 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2087767658.000000000AB31000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
  • 0x404:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000001.00000002.1933390239.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    0000000B.00000003.2023745878.0000000001F50000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x804:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    0000000A.00000002.1973410922.0000000000AEB000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1a22:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    0000000B.00000002.2952524704.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.2019-09-02_22-41-10.exe.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
        11.2.tjhvihc.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
          1.2.2019-09-02_22-41-10.exe.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            10.2.tjhvihc.a715a0.1.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
              0.2.2019-09-02_22-41-10.exe.9115a0.1.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:/Users/user/AppData/Roaming/tjhvihc, CommandLine: C:/Users/user/AppData/Roaming/tjhvihc, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\tjhvihc, NewProcessName: C:\Users\user\AppData\Roaming\tjhvihc, OriginalFileName: C:\Users\user\AppData\Roaming\tjhvihc, ParentCommandLine: C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 180, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:/Users/user/AppData/Roaming/tjhvihc, ProcessId: 5288, ProcessName: tjhvihc

                Persistence and Installation Behavior

                barindex
                Sigma detected: Execute Scriptlet Via Regsvr32
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj, CommandLine: C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj, ProcessId: 180, ProcessName: regsvr32.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-23T03:35:25.937785+010020391031A Network Trojan was detected192.168.2.449738188.40.141.21180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-23T03:35:34.358360+010028033053Unknown Traffic192.168.2.449742204.79.197.203443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-23T03:35:25.203376+010028493531A Network Trojan was detected192.168.2.44973788.221.110.12980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-23T03:35:25.937785+010028381061Malware Command and Control Activity Detected192.168.2.449738188.40.141.21180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 2019-09-02_22-41-10.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\tjhvihcAvira: detection malicious, Label: TR/AD.Dofoil.iesi
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\tjhvihcReversingLabs: Detection: 84%
                Multi AV Scanner detection for submitted file
                Source: 2019-09-02_22-41-10.exeVirustotal: Detection: 79%Perma Link
                Source: 2019-09-02_22-41-10.exeReversingLabs: Detection: 84%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.3% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\tjhvihcJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 2019-09-02_22-41-10.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE8C2 MD5Update,MD5Update,MD5Final,1_2_6CFAE8C2
                Source: 2019-09-02_22-41-10.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49748 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49761 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49820 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49885 version: TLS 1.2
                Source: Binary string: C:\huzufawapijoh_fabujavonud39_mihugimosomofexepag-vatipado.pdb source: 2019-09-02_22-41-10.exe, 00000000.00000000.1695657326.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000000.00000002.1696872056.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000001.00000000.1696431506.000000000041F000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000002.00000002.1997339406.000000000CBB3000.00000004.00000001.00020000.00000000.sdmp, tjhvihc, 0000000A.00000000.1970022159.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000A.00000002.1972292048.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000B.00000000.1971431119.000000000041F000.00000002.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: 2019-09-02_22-41-10.exe, 00000001.00000002.1933713701.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, tjhvihc, 0000000B.00000002.2953296719.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdb source: 2019-09-02_22-41-10.exe, 2019-09-02_22-41-10.exe, 00000001.00000002.1933713701.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, tjhvihc, 0000000B.00000002.2953296719.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp
                Source: Binary string: EC:\huzufawapijoh_fabujavonud39_mihugimosomofexepag-vatipado.pdb.pdb source: 2019-09-02_22-41-10.exe, 00000000.00000000.1695657326.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000000.00000002.1696872056.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000001.00000000.1696431506.000000000041F000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000002.00000002.1997339406.000000000CBB3000.00000004.00000001.00020000.00000000.sdmp, tjhvihc, 0000000A.00000000.1970022159.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000A.00000002.1972292048.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000B.00000000.1971431119.000000000041F000.00000002.00000001.01000000.00000009.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 188.40.141.211:80
                Source: Network trafficSuricata IDS: 2838106 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 16 : 192.168.2.4:49738 -> 188.40.141.211:80
                Source: Network trafficSuricata IDS: 2849353 - Severity 1 - ETPRO MALWARE Observed SmokeLoader Style Connectivity Check M3 : 192.168.2.4:49737 -> 88.221.110.129:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 88.221.110.129 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=9DD1BA37-DF10-411E-AE41-4DA490675502&user=m-e6776d2110ea4a81b6fa19d69bab58ec HTTP/1.1Host: api.msn.com
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=50C9FC9D-E8D2-46FC-8D9D-C51F33B3762D&user=m-82ecdeb1617f4f94b2a1511e8a9205ec HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=38F86BCD-3AD1-4AA4-8231-3C0A28AB6B21&user=m-6f021783ddf943e8b00733e5e5573295 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=B385FF40-2773-4B56-9BB5-B0752DFF073F&user=m-7ecdd41c26b54d00aa8c13486a12a0fd HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=F781B0AD-D872-46D2-BAF4-B59932A1C8D9&user=m-3420120899fc4bd88b574668b2c200c6 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=48541954-9F2E-4389-87ED-7696F7988BA3&user=m-31c38395dea34931a7458084e1d5f092 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
                Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
                Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 204.79.197.203:443
                Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
                Source: global trafficHTTP traffic detected: POST /logstatx77/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://advertserv25.world/logstatx77/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: advertserv25.world
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=9DD1BA37-DF10-411E-AE41-4DA490675502&user=m-e6776d2110ea4a81b6fa19d69bab58ec HTTP/1.1Host: api.msn.com
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=50C9FC9D-E8D2-46FC-8D9D-C51F33B3762D&user=m-82ecdeb1617f4f94b2a1511e8a9205ec HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=38F86BCD-3AD1-4AA4-8231-3C0A28AB6B21&user=m-6f021783ddf943e8b00733e5e5573295 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=B385FF40-2773-4B56-9BB5-B0752DFF073F&user=m-7ecdd41c26b54d00aa8c13486a12a0fd HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=F781B0AD-D872-46D2-BAF4-B59932A1C8D9&user=m-3420120899fc4bd88b574668b2c200c6 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=48541954-9F2E-4389-87ED-7696F7988BA3&user=m-31c38395dea34931a7458084e1d5f092 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=6791aaf668f24ad78ac75d3df62419b6.RefC=2025-01-23T02:35:34Z; MUIDB=1A84DC9C04C567843F46C9E105E066EE; _EDGE_V=1; MUID=1A84DC9C04C567843F46C9E105E066EE
                Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
                Source: global trafficDNS traffic detected: DNS query: www.msftncsi.com
                Source: global trafficDNS traffic detected: DNS query: advertserv25.world
                Source: global trafficDNS traffic detected: DNS query: api.msn.com
                Source: unknownHTTP traffic detected: POST /logstatx77/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://advertserv25.world/logstatx77/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: advertserv25.world
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Thu, 23 Jan 2025 02:35:25 GMTData Raw: 03 00 00 00 65 64 04 Data Ascii: ed
                Source: explorer.exe, 00000002.00000002.1983339384.0000000009977000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/
                Source: explorer.exe, 00000002.00000002.1983339384.0000000009977000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C544000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/logstatx77/
                Source: explorer.exe, 00000002.00000002.1997339406.000000000CB9F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/logstatx77/%
                Source: explorer.exe, 00000002.00000002.1997339406.000000000CB24000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/logstatx77/ahsH
                Source: explorer.exe, 00000002.00000002.1997339406.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/logstatx77/application/x-www-form-urlencodedMozilla/5.0
                Source: explorer.exe, 00000002.00000002.1977661134.00000000079D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world/logstatx77/s
                Source: explorer.exe, 00000002.00000002.1997339406.000000000CB9F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://advertserv25.world:80/logstatx77/cccccccccbbbbbbbbbbbbbbbbbaaaaaaaaaaaa
                Source: explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 00000019.00000003.2197466136.000000000854A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.000000000854A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.000000000854A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2194648578.000000000854A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2183467407.000000000854A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2186187254.000000000854A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
                Source: explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000013.00000003.2085798108.0000000004F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Mic
                Source: explorer.exe, 0000001F.00000002.2342042078.000000000508A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.a)/~;b
                Source: explorer.exe, 0000001F.00000002.2342042078.000000000508A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ad
                Source: explorer.exe, 00000013.00000003.2085798108.0000000004F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.
                Source: explorer.exe, 00000013.00000003.2085798108.0000000004F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c
                Source: explorer.exe, 0000001F.00000002.2342042078.000000000508A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cj/
                Source: explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000002.00000000.1750070183.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000002.00000002.1983800237.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1750901623.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.1979663097.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 0000000C.00000003.2037942532.0000000008121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035031048.000000000811E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.0000000008103000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000008121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                Source: explorer.exe, 00000002.00000002.1994112999.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftncsi.com/
                Source: explorer.exe, 00000002.00000002.1994112999.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftncsi.com/ncsi.txt
                Source: explorer.exe, 00000002.00000002.1983339384.0000000009977000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftncsi.com:80/ncsi.txt6
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2156620458.000000000958F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B91000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2251894144.0000000009299000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2253150257.00000000092A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                Source: explorer.exe, 0000001F.00000003.2251894144.0000000009299000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2253150257.00000000092A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
                Source: explorer.exe, 0000000C.00000002.2075525076.0000000006D19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm2
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmass
                Source: explorer.exe, 00000013.00000002.2156620458.000000000958F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirml9(
                Source: explorer.exe, 00000002.00000002.1977661134.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 0000001F.00000003.2276609803.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 0000001F.00000003.2278949396.0000000009339000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276507633.000000000950F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2330982322.00000000013E0000.00000004.00000001.00040000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276609803.00000000093EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 0000000C.00000003.2036616353.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035148568.0000000007FD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2039871787.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007FB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2040864733.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2038132457.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2119773130.00000000097EF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2156620458.00000000097EF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2185909456.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000083BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197699536.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2192587202.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276609803.0000000009361000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                Source: explorer.exe, 00000019.00000003.2200467953.000000000843E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000083BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2193784622.000000000840E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197699536.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2194757901.000000000843E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2192587202.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2198317857.000000000843E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2184609024.000000000840E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2036616353.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035148568.0000000007FD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2039871787.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007FB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2040864733.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2038132457.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2184122041.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197466136.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2194571645.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2193784622.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2280714473.00000000093F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000013.00000002.2156620458.0000000009677000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2119773130.00000000096CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?x
                Source: explorer.exe, 0000000C.00000003.2036616353.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035148568.0000000007FD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2039871787.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007FB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2040864733.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2038132457.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000083BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2193784622.000000000840E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197699536.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2192587202.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2184609024.000000000840E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                Source: explorer.exe, 00000013.00000002.2156620458.0000000009677000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2119773130.00000000096CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com;
                Source: explorer.exe, 0000001F.00000002.2326063084.00000000012E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comQ
                Source: explorer.exe, 00000002.00000000.1752635070.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1980816073.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/V
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crya
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2117Image.p~
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.que
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF
                Source: explorer.exe, 00000002.00000000.1750070183.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                Source: explorer.exe, 00000002.00000000.1750070183.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                Source: explorer.exe, 00000019.00000003.2191296952.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2330982322.00000000013E0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276609803.00000000094C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2280347362.00000000094B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 0000000C.00000003.2036343546.00000000081A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033457417.00000000081A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.come
                Source: explorer.exe, 00000013.00000002.2156620458.000000000958F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.como
                Source: explorer.exe, 00000019.00000003.2199750347.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197466136.00000000084FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comv
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAA1cYC.img
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAWSRJq.img
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                Source: explorer.exe, 00000002.00000000.1750070183.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entiw
                Source: explorer.exe, 00000019.00000003.2199750347.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197466136.00000000084FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 0000001F.00000003.2276609803.00000000094C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2280347362.00000000094B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.comP
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                Source: explorer.exe, 0000000C.00000003.2036343546.00000000081A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033457417.00000000081A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.comers
                Source: explorer.exe, 00000013.00000003.2123617769.0000000009860000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2119192665.0000000009860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                Source: explorer.exe, 0000001F.00000003.2280714473.000000000949D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276609803.000000000949D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com&
                Source: explorer.exe, 00000019.00000003.2196800170.00000000083BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000083B3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197699536.0000000008402000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000083B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comK
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: explorer.exe, 0000000C.00000003.2036616353.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035148568.0000000007FD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2039871787.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.0000000007FB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2040864733.0000000007FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2038132457.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.come
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                Source: explorer.exe, 00000013.00000003.2119192665.0000000009860000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2120504014.0000000009879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.offic
                Source: explorer.exe, 00000002.00000000.1755067418.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1994112999.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2199750347.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2196800170.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2234296584.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000003.2197466136.00000000084FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2276609803.00000000094C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2280347362.00000000094B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: explorer.exe, 0000000C.00000003.2036343546.00000000081A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033457417.00000000081A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com;
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                Source: explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/com
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/how-much-are-two-dollar
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/new%
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/full-list-of-house-republicans-seeking-to-oust-kevin
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                Source: explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/how-montgomery-county-s-oldest-tree-is-getting-new-life-in-the-com
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                Source: explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                Source: explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us6
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                Source: explorer.exe, 00000002.00000002.1977661134.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1750070183.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1983411940.0000000006D4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2154588043.0000000007920000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.2231498496.0000000007B26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49748 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49761 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49820 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49885 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.tjhvihc.a715a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2019-09-02_22-41-10.exe.9115a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1933390239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2952524704.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0000000C.00000002.2087767658.000000000AB31000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000B.00000003.2023745878.0000000001F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000A.00000002.1973410922.0000000000AEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.1697423572.000000000096C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000001.00000003.1767242540.0000000002050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000002.00000002.1979742507.00000000087C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00910110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00910110
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401A27 CreateFileMappingW,MapViewOfFile,NtUnmapViewOfSection,NtTerminateProcess,1_2_00401A27
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401AA8 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401AA8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401FA5 NtEnumerateKey,1_2_00401FA5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00402075 NtEnumerateKey,1_2_00402075
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_004016C0 Sleep,GetVolumeInformationA,CreateFileMappingW,MapViewOfFile,NtUnmapViewOfSection,1_2_004016C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401AD2 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401AD2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401ADD ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401ADD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401AE1 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401AE1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401AB3 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401AB3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B02 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B02
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B06 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B06
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B0A ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B0A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B10 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B19 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B19
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B22 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B22
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B26 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B26
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B2F ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B2F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401B34 ZwFreeVirtualMemory,NtTerminateProcess,1_2_00401B34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401BF9 NtTerminateProcess,1_2_00401BF9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C70 ZwFreeVirtualMemory,LdrInitializeThunk,1_2_6CF62C70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C0A NtQueryInformationProcess,LdrInitializeThunk,1_2_6CF62C0A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DF0 ZwQuerySystemInformation,LdrInitializeThunk,1_2_6CF62DF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DB0 ZwEnumerateKey,LdrInitializeThunk,1_2_6CF62DB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D30 ZwUnmapViewOfSection,LdrInitializeThunk,1_2_6CF62D30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D10 ZwMapViewOfSection,LdrInitializeThunk,1_2_6CF62D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F30 ZwCreateSection,LdrInitializeThunk,1_2_6CF62F30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BF0 ZwAllocateVirtualMemory,LdrInitializeThunk,1_2_6CF62BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B90 ZwOpenKey,LdrInitializeThunk,1_2_6CF62B90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52CF0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,1_2_6CF52CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CF0 ZwOpenProcess,1_2_6CF62CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CE0 ZwQueryInformationThread,1_2_6CF62CE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CD0 ZwOpenThreadToken,1_2_6CF62CD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF78CD0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,1_2_6CF78CD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBACD0 RtlQueryCriticalSectionOwner,ZwReadVirtualMemory,RtlQueryCriticalSectionOwner,1_2_6CFBACD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAACC8 ZwClose,ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,1_2_6CFAACC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CC0 ZwQueryVirtualMemory,1_2_6CF62CC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CCC8 memset,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,RtlInitUnicodeString,RtlCultureNameToLCID,RtlInitUnicodeString,RtlCultureNameToLCID,1_2_6CF1CCC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF0CC0 EtwRegisterSecurityProvider,ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,1_2_6CFF0CC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48CB1 RtlInitUnicodeString,ZwQueryLicenseValue,RtlAllocateHeap,ZwQueryLicenseValue,RtlFreeHeap,1_2_6CF48CB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CB0 ZwRequestWaitReplyPort,1_2_6CF62CB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62CA0 ZwQueryInformationToken,1_2_6CF62CA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CCA0 RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6CA0 RtlCreateQueryDebugBuffer,ZwCreateSection,ZwMapViewOfSection,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwFreeVirtualMemory,ZwUnmapViewOfSection,ZwClose,1_2_6CFA6CA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C90 ZwReleaseMutant,1_2_6CF62C90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C80 ZwImpersonateClientOfPort,1_2_6CF62C80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18C8D RtlFreeHeap,ZwSetEvent,ZwAlertThreadByThreadId,1_2_6CF18C8D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C60 ZwCreateKey,1_2_6CF62C60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EC6B RtlGetSuiteMask,TpSetPoolWorkerThreadIdleTimeout,TpSetPoolMaxThreads,NtLockProductActivationKeys,TpAllocWork,1_2_6CF1EC6B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAEC65 ZwWow64CsrCaptureMessageString,1_2_6CFAEC65
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 LdrpResGetMappingSize,RtlImageNtHeaderEx,ZwQueryVirtualMemory,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C50 ZwSetInformationProcess,1_2_6CF62C50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C40 ZwWriteFileGather,1_2_6CF62C40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64C40 RtlUnhandledExceptionFilter,ZwTerminateProcess,1_2_6CF64C40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C30 ZwWaitForMultipleObjects32,1_2_6CF62C30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64C30 RtlUnhandledExceptionFilter,ZwTerminateProcess,1_2_6CF64C30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlCultureNameToLCID,RtlAllocateHeap,RtlReAllocateHeap,memcpy,memset,ZwQueryDirectoryFile,ZwClose,RtlFreeHeap,RtlFreeHeap,1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EC20 TpSetPoolWorkerThreadIdleTimeout,ZwSetInformationWorkerFactory,1_2_6CF1EC20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5AC00 RtlpCheckDynamicTimeZoneInformation,memcmp,ZwClose,1_2_6CF5AC00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C00 ZwQueryInformationProcess,1_2_6CF62C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0DF0 RtlCheckBootStatusIntegrity,ZwReadFile,RtlAllocateHeap,ZwReadFile,RtlFreeHeap,1_2_6CFC0DF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCADF0 RtlConnectToSm,RtlInitUnicodeString,memset,memcpy,ZwAlpcConnectPort,1_2_6CFCADF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40DE1 RtlAcquireSRWLockExclusive,RtlAllocateHeap,memcpy,ZwSetInformationProcess,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_6CF40DE1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DE0 ZwQueryDirectoryFile,1_2_6CF62DE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6DE0 RtlIsPartialPlaceholderFileHandle,ZwQueryInformationFile,1_2_6CFD6DE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DD0 ZwDelayExecution,1_2_6CF62DD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EDD3 RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,1_2_6CF4EDD3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4DD7 DbgPrint,DbgPrompt,ZwTerminateThread,ZwTerminateProcess,DbgPrint,1_2_6CFA4DD7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DC0 ZwOpenFile,1_2_6CF62DC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4DC4 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,1_2_6CFF4DC4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CDB1 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwQueryInformationProcess,RtlRaiseStatus,RtlFreeHeap,LdrControlFlowGuardEnforced,RtlFreeHeap,1_2_6CF5CDB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB0DB0 RtlSetImageMitigationPolicy,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,ZwOpenKey,ZwDeleteValueKey,ZwDeleteValueKey,ZwQueryValueKey,memcpy,ZwSetValueKey,RtlSetImageMitigationPolicy,ZwClose,1_2_6CFB0DB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28DA4 RtlInitializeCriticalSectionEx,ZwDelayExecution,1_2_6CF28DA4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62DA0 ZwQueryPerformanceCounter,1_2_6CF62DA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D90 ZwOpenProcessTokenEx,1_2_6CF62D90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D80 ZwOpenThreadTokenEx,1_2_6CF62D80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA8D87 RtlAppendUnicodeStringToString,ZwOpenKey,1_2_6CFA8D87
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40D77 ZwProtectVirtualMemory,1_2_6CF40D77
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D70 ZwReadFileScatter,1_2_6CF62D70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D60 ZwSetEventBoostPriority,1_2_6CF62D60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D50 ZwTerminateProcess,1_2_6CF62D50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20D59 memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,1_2_6CF20D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CD47 ZwCancelWaitCompletionPacket,RtlDebugPrintTimes,1_2_6CF5CD47
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D40 ZwReplyWaitReceivePortEx,1_2_6CF62D40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4D39 RtlReportSilentProcessExit,ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,ZwTerminateProcess,1_2_6CFA4D39
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC8D31 RtlInitUnicodeString,memset,RtlAppendUnicodeStringToString,RtlAppendUnicodeStringToString,ZwOpenKey,ZwQueryValueKey,_allmul,ZwClose,1_2_6CFC8D31
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D20 ZwAccessCheckAndAuditAlarm,1_2_6CF62D20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAAD20 ZwDuplicateObject,ZwDuplicateObject,1_2_6CFAAD20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6D21 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,1_2_6CFD6D21
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF16D10 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,LdrQueryImageFileKeyOption,1_2_6CF16D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF78D10 RtlRaiseStatus,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,1_2_6CF78D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62D00 ZwSetInformationFile,1_2_6CF62D00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF0D00 EtwWriteUMSecurityEvent,ZwTraceEvent,RtlNtStatusToDosError,1_2_6CFF0D00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62EF0 ZwYieldExecution,1_2_6CF62EF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF0EF0 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,1_2_6CFF0EF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62EE0 ZwQueueApcThread,1_2_6CF62EE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62ED0 ZwQueryDefaultUILanguage,1_2_6CF62ED0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62EC0 ZwContinue,1_2_6CF62EC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62EB0 ZwDuplicateToken,1_2_6CF62EB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAEB0 RtlpNotOwnerCriticalSection,DbgPrintEx,ZwQueryInformationProcess,RtlRaiseStatus,RtlRaiseStatus,RtlDebugPrintTimes,RtlpNotOwnerCriticalSection,1_2_6CFBAEB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62EA0 ZwAdjustPrivilegesToken,1_2_6CF62EA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACEA0 LdrAddDllDirectory,RtlDetermineDosPathNameType_U,ZwQueryAttributesFile,RtlFreeHeap,RtlAllocateHeap,memcpy,RtlAcquireSRWLockExclusive,@_EH4_CallFilterFunc@8,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,LdrAddDllDirectory,1_2_6CFACEA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1AE90 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,TpReleasePool,1_2_6CF1AE90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E90 ZwOpenEvent,1_2_6CF62E90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC8E90 memcpy,ZwUnmapViewOfSection,ZwMapViewOfSection,memcpy,1_2_6CFC8E90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E80 ZwReadVirtualMemory,1_2_6CF62E80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26E71 RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,1_2_6CF26E71
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0E7F RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,1_2_6CFA0E7F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E70 ZwClearEvent,1_2_6CF62E70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEAE75 ZwFreeVirtualMemory,RtlAcquireSRWLockExclusive,RtlRbRemoveNode,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CFEAE75
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDEE6D memset,ZwCreateSection,ZwClose,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwUnmapViewOfSection,ZwClose,1_2_6CFDEE6D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8E6C memset,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,memset,ZwGetContextThread,1_2_6CFF8E6C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E60 ZwQueryAttributesFile,1_2_6CF62E60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54E50 RtlDecodePointer,RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,1_2_6CF54E50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56E50 RtlAdjustPrivilege,ZwOpenProcessToken,ZwAdjustPrivilegesToken,ZwClose,ZwOpenThreadToken,RtlAdjustPrivilege,1_2_6CF56E50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E50 ZwDuplicateObject,1_2_6CF62E50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6E50 RtlDestroyQueryDebugBuffer,ZwClose,ZwUnmapViewOfSection,1_2_6CFA6E50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4E52 ZwAlertThreadByThreadId,1_2_6CFF4E52
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4E4D ZwQueryPerformanceCounter,RtlRandomEx,1_2_6CFD4E4D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDCE4E memset,memset,memset,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,RtlLCIDToCultureName,ZwQueryValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,RtlInitUnicodeString,ZwQueryValueKey,ZwEnumerateValueKey,RtlCompareUnicodeStrings,RtlCompareUnicodeStrings,1_2_6CFDCE4E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E40 ZwCloseObjectAuditAlarm,1_2_6CF62E40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE0E3D ZwQuerySystemInformation,1_2_6CFE0E3D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E30 ZwWriteVirtualMemory,1_2_6CF62E30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E20 ZwFsControlFile,1_2_6CF62E20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64E20 KiUserApcDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwContinue,RtlRaiseStatus,1_2_6CF64E20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E10 ZwQueryTimer,1_2_6CF62E10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAEE10 AlpcAdjustCompletionListConcurrencyCount,ZwAlpcSetInformation,1_2_6CFAEE10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18E1D RtlFreeHeap,ZwSetEvent,ZwClose,1_2_6CF18E1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA8E16 ZwOpenProcessTokenEx,ZwQueryInformationToken,ZwClose,RtlConvertSidToUnicodeString,1_2_6CFA8E16
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CE16 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,1_2_6CF9CE16
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58E1A RtlReleaseActivationContext,LdrUnloadDll,ZwClose,RtlFreeHeap,1_2_6CF58E1A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62E00 ZwOpenSection,1_2_6CF62E00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60FF6 RtlAllocateHeap,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlFreeHeap,1_2_6CF60FF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54FF1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,1_2_6CF54FF1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FF0 ZwQueryEvent,1_2_6CF62FF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FE0 ZwCreateFile,1_2_6CF62FE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4FE7 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFF4FE7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,1_2_6CFA6FE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FD0 ZwReadRequestData,1_2_6CF62FD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EFD8 RtlRunOnceExecuteOnce,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,1_2_6CF1EFD8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDAFD0 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,1_2_6CFDAFD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAFCE ZwQueryInformationProcess,RtlRaiseStatus,RtlCaptureContext,ZwQueryInformationProcess,RtlRaiseException,1_2_6CFBAFCE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FC0 ZwTerminateThread,1_2_6CF62FC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FB0 ZwResumeThread,1_2_6CF62FB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5AFB8 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,ZwEnumerateValueKey,DbgPrint,ZwDeleteValueKey,RtlDebugPrintTimes,ZwDeleteValueKey,DbgPrint,ZwClose,1_2_6CF5AFB8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62FA0 ZwQuerySection,1_2_6CF62FA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F90 ZwProtectVirtualMemory,1_2_6CF62F90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52F98 memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,1_2_6CF52F98
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F80 ZwIsProcessInJob,1_2_6CF62F80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64F80 KiUserExceptionDispatcher,RtlDebugPrintTimes,ZwContinue,ZwRaiseException,RtlRaiseException,1_2_6CF64F80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF0F88 ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,1_2_6CFF0F88
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF6F80 PssNtFreeRemoteSnapshot,ZwReadVirtualMemory,ZwFreeVirtualMemory,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwFreeVirtualMemory,1_2_6CFF6F80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAAF7A ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,1_2_6CFAAF7A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F70 ZwCreateThread,1_2_6CF62F70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F60 ZwCreateProcessEx,1_2_6CF62F60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4F68 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFF4F68
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCAF60 RtlSendMsgToSm,ZwAlpcSendWaitReceivePort,1_2_6CFCAF60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4F5C ZwTerminateProcess,1_2_6CFF4F5C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F50 ZwApphelpCacheControl,1_2_6CF62F50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0F50 RtlCreateBootStatusDataFile,RtlInitUnicodeString,RtlInitUnicodeString,ZwCreateFile,ZwWriteFile,RtlRestoreBootStatusDefaults,ZwClose,RtlFreeHeap,1_2_6CFC0F50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6F50 RtlIsCurrentThread,ZwCompareObjects,1_2_6CFD6F50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58F40 RtlUnwind,ZwContinue,RtlUnwind,RtlRaiseException,RtlRaiseException,RtlRaiseException,ZwContinue,ZwRaiseException,1_2_6CF58F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F40 ZwFlushBuffersFile,1_2_6CF62F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F20 ZwQueryVolumeInformationFile,1_2_6CF62F20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6F20 RtlIsCurrentProcess,ZwCompareObjects,1_2_6CFD6F20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F10 ZwCreateEvent,1_2_6CF62F10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64F10 KiUserCallbackDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwCallbackReturn,RtlRaiseStatus,1_2_6CF64F10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60F04 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,1_2_6CF60F04
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62F00 ZwAddAtom,1_2_6CF62F00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0F00 RtlCheckSystemBootStatusIntegrity,ZwPowerInformation,1_2_6CFC0F00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4F00 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwQueryPerformanceCounter,ZwQueryPerformanceCounter,1_2_6CFD4F00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 RtlDetermineDosPathNameType_U,RtlDetermineDosPathNameType_U,ZwTerminateProcess,ZwWaitForAlertByThreadId,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlCreateUnicodeString,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648F0 ZwWow64ReadVirtualMemory64,1_2_6CF648F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1E8E0 RtlQueryWnfStateData,_alloca_probe_16,ZwQueryWnfStateData,RtlDebugPrintTimes,1_2_6CF1E8E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648E0 ZwWow64AllocateVirtualMemory64,1_2_6CF648E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF568EF ZwUnmapViewOfSection,1_2_6CF568EF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648D0 ZwWow64QueryInformationProcess64,1_2_6CF648D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648C0 ZwWow64GetNativeSystemInformation,1_2_6CF648C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C8B7 ZwTraceControl,1_2_6CF5C8B7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648B0 ZwWow64GetCurrentProcessorNumberEx,1_2_6CF648B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF648A0 ZwWow64DebuggerCall,1_2_6CF648A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64890 ZwWow64CsrVerifyRegion,1_2_6CF64890
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC89D RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFAC89D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20887 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,ZwSubscribeWnfStateChange,RtlGetCurrentServiceSessionId,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CF20887
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64880 ZwWow64CsrGetProcessId,1_2_6CF64880
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4887 ZwSetInformationWorkerFactory,1_2_6CFF4887
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64870 ZwWow64CsrCaptureMessageString,1_2_6CF64870
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64860 ZwWow64CsrCaptureMessageBuffer,1_2_6CF64860
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE685D ZwGetCurrentProcessorNumber,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CFE685D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBA85E RtlInitializeSid,ZwQueryInformationToken,RtlSidDominates,RtlSidDominates,ZwPrivilegeCheck,1_2_6CFBA85E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64850 ZwWow64CsrAllocateMessagePointer,1_2_6CF64850
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64840 ZwWow64CsrFreeCaptureBuffer,1_2_6CF64840
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE0840 ZwCreateSection,ZwMapViewOfSection,memset,memcpy,ZwUnmapViewOfSection,ZwClose,1_2_6CFE0840
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64830 ZwWow64CsrAllocateCaptureBuffer,1_2_6CF64830
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2E820 RtlLeaveCriticalSection,RtlpNotOwnerCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,RtlRaiseStatus,LdrRscIsTypeExist,1_2_6CF2E820
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56820 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,1_2_6CF56820
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64820 ZwWow64CsrClientCallServer,1_2_6CF64820
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64810 ZwWow64CsrIdentifyAlertableThread,1_2_6CF64810
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC810 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFAC810
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64800 ZwWow64CsrClientConnectToServer,1_2_6CF64800
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60800 ZwAllocateVirtualMemory,memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,1_2_6CF60800
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA800 RtlEncodeRemotePointer,ZwQueryInformationProcess,1_2_6CFAA800
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF529F9 DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap,1_2_6CF529F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF249FF ZwSetInformationWorkerFactory,1_2_6CF249FF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE29F3 ZwAllocateVirtualMemoryEx,1_2_6CFE29F3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA9E0 RtlReportExceptionEx,RtlReportException,ZwDuplicateObject,ZwDuplicateObject,memset,ZwTerminateProcess,1_2_6CFAA9E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE9E0 RtlComputeImportTableHash,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,RtlAddressInSectionTable,RtlAllocateHeap,ZwUnmapViewOfSection,RtlFlushSecureMemoryCache,ZwUnmapViewOfSection,1_2_6CFAE9E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB69C0 RtlGetSessionProperties,RtlGetCurrentServiceSessionId,ZwQueryInformationJobObject,1_2_6CFB69C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA49B8 ZwQueryInformationProcess,ZwMapViewOfSection,ZwClose,1_2_6CFA49B8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF629B3 ZwWaitForAlertByThreadId,1_2_6CF629B3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC89B4 ZwOpenKey,ZwQueryValueKey,ZwClose,1_2_6CFC89B4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A9A0 RtlReleaseResource,ZwReleaseSemaphore,RtlRaiseStatus,ZwQueryValueKey,ZwReleaseSemaphore,RtlRaiseStatus,ZwClose,1_2_6CF5A9A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEA987 ZwQueryVirtualMemory,ZwProtectVirtualMemory,1_2_6CFEA987
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC97C RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFAC97C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6970 RtlInitializeContext,ZwWriteVirtualMemory,1_2_6CFD6970
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF46962 ZwQueryInformationToken,RtlFindAceByType,RtlFindAceByType,RtlFindAceByType,RtlAllocateHeap,memcpy,memcpy,memcpy,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlCreateSecurityDescriptor,RtlFreeHeap,RtlCreateAcl,RtlAddMandatoryAce,RtlFreeHeap,memcpy,RtlFreeHeap,RtlSidDominates,RtlFreeHeap,RtlFreeHeap,RtlFindAceByType,ZwDuplicateToken,ZwAccessCheck,ZwClose,ZwPrivilegeCheck,ZwPrivilegeCheck,RtlFreeHeap,memset,memset,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_6CF46962
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6096E memset,memset,ZwQuerySystemInformation,ZwQueryInformationThread,ZwQueryInformationThread,ZwQuerySystemInformation,RtlAllocateHeap,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memcpy,memcpy,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memset,ZwWriteFile,RtlFreeHeap,ZwClose,ZwReadFile,ZwWriteFile,RtlQueryPerformanceCounter,RtlQueryPerformanceCounter,memcpy,ZwQueryVolumeInformationFile,ZwSetInformationFile,1_2_6CF6096E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4096D ZwWow64IsProcessorFeaturePresent,1_2_6CF4096D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF6940 PssNtCaptureSnapshot,ZwAllocateVirtualMemory,memset,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwCreateProcessEx,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,1_2_6CFF6940
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E920 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,1_2_6CF3E920
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64920 ZwWow64IsProcessorFeaturePresent,1_2_6CF64920
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8927 ZwDuplicateObject,ZwQueryObject,ZwClose,memset,_wcsicmp,ZwQueryObject,ZwQueryObject,_wcsicmp,ZwClose,RtlDebugPrintTimes,RtlDebugPrintTimes,1_2_6CFF8927
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64910 ZwWow64CallFunction64,1_2_6CF64910
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC912 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFAC912
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4908 RtlAllocateHeap,ZwQueryVirtualMemory,RtlFreeHeap,1_2_6CFA4908
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64900 ZwWow64WriteVirtualMemory64,1_2_6CF64900
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AF0 ZwWriteFile,1_2_6CF62AF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCEAF0 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,1_2_6CFCEAF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AE0 ZwDeviceIoControlFile,1_2_6CF62AE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAAE0 RtlConvertExclusiveToShared,ZwReleaseSemaphore,RtlRaiseStatus,1_2_6CFBAAE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AD0 ZwReadFile,1_2_6CF62AD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDAACD ZwFreeVirtualMemory,1_2_6CFDAACD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AC0 ZwCallbackReturn,1_2_6CF62AC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF76ACC memset,ZwQueryWnfStateData,RtlFreeHeap,RtlAllocateHeap,ZwQueryWnfStateData,ZwQueryWnfStateData,RtlFreeHeap,1_2_6CF76ACC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AB0 ZwWaitForSingleObject,1_2_6CF62AB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE2AAC ZwQuerySystemInformation,1_2_6CFE2AAC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB2AA9 ZwEnumerateValueKey,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlCompareUnicodeString,RtlCompareUnicodeString,ZwEnumerateKey,ZwOpenKey,ZwClose,1_2_6CFB2AA9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AA0 ZwMapUserPhysicalPagesScatter,1_2_6CF62AA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDAA98 ZwAllocateVirtualMemory,1_2_6CFDAA98
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62A90 ZwAcceptConnectPort,1_2_6CF62A90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62A80 ZwWorkerFactoryWorkerReady,1_2_6CF62A80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62A70 ZwAccessCheck,1_2_6CF62A70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CA72 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,1_2_6CF9CA72
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2A70 EtwSendNotification,ZwTraceControl,RtlNtStatusToDosError,ZwClose,1_2_6CFF2A70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4A63 ZwQuerySystemInformation,RtlAllocateHeap,RtlFreeHeap,RtlAllocateHeap,1_2_6CFD4A63
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 RtlAcquireSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF0A50 EtwEventWriteString,ZwTraceEvent,RtlNtStatusToDosError,1_2_6CFF0A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5AA45 ZwOpenKey,ZwQueryValueKey,ZwClose,1_2_6CF5AA45
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6A30 RtlRemoteCall,LdrControlFlowGuardEnforced,ZwSuspendThread,ZwGetContextThread,ZwResumeThread,ZwWriteVirtualMemory,ZwResumeThread,memcpy,memcpy,ZwWriteVirtualMemory,ZwSetContextThread,ZwResumeThread,1_2_6CFD6A30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2A30 EtwReplyNotification,ZwTraceControl,RtlNtStatusToDosError,1_2_6CFF2A30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACA11 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFACA11
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0A0E RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException,1_2_6CFA0A0E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB2A03 ZwDeleteKey,ZwClose,1_2_6CFB2A03
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EA0C ZwCreateEvent,TpAllocWait,ZwSetWnfProcessNotificationEvent,TpSetWaitEx,TpReleaseWait,ZwClose,1_2_6CF1EA0C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6BFC ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,1_2_6CFD6BFC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EBFC RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,1_2_6CF4EBFC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACBF0 RtlAcquireSRWLockShared,RtlReleaseSRWLockShared,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,1_2_6CFACBF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BE0 ZwQueryValueKey,1_2_6CF62BE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BD0 ZwQueryKey,1_2_6CF62BD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAEBD0 CsrCaptureMessageMultiUnicodeStringsInPlace,ZwWow64CsrAllocateCaptureBuffer,1_2_6CFAEBD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BC0 ZwQueryDefaultLocale,1_2_6CF62BC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20BCD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,1_2_6CF20BCD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BB0 ZwFindAtom,1_2_6CF62BB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACBB0 ZwSetEvent,1_2_6CFACBB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62BA0 ZwEnumerateValueKey,1_2_6CF62BA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EBA6 ZwOpenFile,memcmp,ZwQueryInformationThread,TpWaitForWork,TpReleaseWork,1_2_6CF1EBA6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8B98 ZwGetNextThread,ZwAllocateVirtualMemory,ZwGetNextThread,RtlGetExtendedContextLength,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwUnmapViewOfSection,ZwUnmapViewOfSection,1_2_6CFF8B98
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B80 ZwQueryInformationFile,1_2_6CF62B80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEEB89 ZwFreeVirtualMemory,1_2_6CFEEB89
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B70 ZwQueryObject,1_2_6CF62B70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B60 ZwClose,1_2_6CF62B60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDCB64 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,1_2_6CFDCB64
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18B50 RtlDeleteTimerQueueEx,RtlAcquireSRWLockExclusive,TpTimerOutstandingCallbackCount,TpReleaseTimer,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,ZwWaitForAlertByThreadId,1_2_6CF18B50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CB5D RtlGetPersistedStateLocation,ZwOpenKeyEx,1_2_6CF9CB5D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B50 ZwSetEvent,1_2_6CF62B50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2B57 RtlAllocateHeap,RtlAllocateHeap,ZwTraceControl,RtlNtStatusToDosError,ZwTraceControl,RtlFreeHeap,RtlFreeHeap,1_2_6CFF2B57
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCEB50 RtlRegisterSecureMemoryCacheCallback,ZwQuerySystemInformation,RtlAllocateHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CFCEB50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B40 ZwSetInformationThread,1_2_6CF62B40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6B40 RtlIsUntrustedObject,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFindAceByType,RtlFreeHeap,1_2_6CFB6B40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAB40 RtlConvertSharedToExclusive,ZwReleaseSemaphore,RtlRaiseStatus,ZwReleaseSemaphore,RtlRaiseStatus,RtlAcquireResourceExclusive,1_2_6CFBAB40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1AB30 RtlCreateMemoryZone,ZwAllocateVirtualMemory,1_2_6CF1AB30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B30 ZwReplyPort,1_2_6CF62B30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EB20 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,1_2_6CF4EB20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B20 ZwReplyWaitReceivePort,1_2_6CF62B20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B10 ZwReleaseSemaphore,1_2_6CF62B10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62B00 ZwRemoveIoCompletion,1_2_6CF62B00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFECB09 ZwQueryVirtualMemory,1_2_6CFECB09
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCE4FD ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,ZwOpenFile,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,ZwSetSecurityObject,ZwClose,ZwClose,1_2_6CFCE4FD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644F0 ZwSetQuotaInformationFile,1_2_6CF644F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644E0 ZwSetLowWaitHighEventPair,1_2_6CF644E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF204E5 SbSelectProcedure,RtlDebugPrintTimes,RtlGetSuiteMask,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,1_2_6CF204E5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644D0 ZwSetLowEventPair,1_2_6CF644D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644C0 ZwSetLdtEntries,1_2_6CF644C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644B0 ZwSetIoCompletionEx,1_2_6CF644B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF644A0 ZwSetIoCompletion,1_2_6CF644A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF264AB memcmp,ZwSetInformationThread,RtlDeactivateActivationContextUnsafeFast,RtlSetThreadSubProcessTag,memset,RtlRaiseException,ZwSetInformationThread,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,1_2_6CF264AB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64490 ZwSetIntervalProfile,1_2_6CF64490
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA49A RtlAllocateHeap,ZwCreateEvent,TpAllocWork,1_2_6CFDA49A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64480 ZwSetInformationWorkerFactory,1_2_6CF64480
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4480 TpSetPoolThreadCpuSets,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,RtlNumberOfSetBits,1_2_6CFF4480
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4A470 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,RtlFreeHeap,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlReAllocateHeap,1_2_6CF4A470
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64470 ZwSetInformationVirtualMemory,1_2_6CF64470
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64460 ZwSetInformationTransactionManager,1_2_6CF64460
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC460 RtlTestAndPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,1_2_6CFAC460
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64450 ZwSetInformationTransaction,1_2_6CF64450
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA457 ZwDeviceIoControlFile,1_2_6CFFA457
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA456 RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,TpReleaseWork,RtlFreeHeap,1_2_6CFDA456
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 ZwDelayExecution,ZwFreeVirtualMemory,ZwClose,ZwClose,RtlDeleteCriticalSection,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64440 ZwSetInformationToken,1_2_6CF64440
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64430 ZwSetInformationSymbolicLink,1_2_6CF64430
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1E420 ZwTraceControl,EtwDeliverDataBlock,TpSetWaitEx,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,1_2_6CF1E420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64420 ZwSetInformationResourceManager,1_2_6CF64420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C427 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap,1_2_6CF1C427
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 RtlDefaultNpAcl,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,RtlGetAppContainerSidType,RtlGetAppContainerParent,RtlAllocateHeap,RtlCreateAcl,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22410 RtlRandomEx,ZwQueryInformationProcess,1_2_6CF22410
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF32410 RtlAcquireSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,1_2_6CF32410
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64410 ZwSetInformationKey,1_2_6CF64410
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA414 ZwClose,1_2_6CFFA414
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64400 ZwSetInformationJobObject,1_2_6CF64400
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58402 RtlImageNtHeaderEx,ZwOpenKey,ZwOpenKey,ZwOpenKey,ZwQueryValueKey,ZwClose,RtlFormatCurrentUserKeyPath,RtlAllocateHeap,RtlAppendUnicodeStringToString,RtlAppendUnicodeToString,ZwOpenKey,RtlFreeHeap,RtlFreeUnicodeString,ZwQueryValueKey,ZwClose,ZwQueryKey,ZwClose,LdrLoadDll,ZwQueryValueKey,ZwQueryValueKey,ZwClose,LdrGetProcedureAddressForCaller,LdrUnloadDll,1_2_6CF58402
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645F0 ZwSignalAndWaitForSingleObject,1_2_6CF645F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF85F0 ZwQueryInformationProcess,1_2_6CFF85F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF225E0 ZwClose,RtlFreeHeap,1_2_6CF225E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645E0 ZwShutdownWorkerFactory,1_2_6CF645E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB25E4 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,1_2_6CFB25E4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF265D0 ZwReleaseWorkerFactoryWorker,memmove,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,_allshl,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CF265D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A5D0 RtlCreateTagHeap,ZwQuerySystemInformation,1_2_6CF5A5D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645D0 ZwShutdownSystem,1_2_6CF645D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645C0 ZwSetWnfProcessNotificationEvent,1_2_6CF645C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA5C0 ZwWaitForSingleObject,1_2_6CFDA5C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF165B5 RtlInitUnicodeString,RtlDebugPrintTimes,RtlDebugPrintTimes,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlReleasePath,ZwTerminateProcess,1_2_6CF165B5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF605B0 EtwpCreateEtwThread,ZwResumeThread,EtwpCreateEtwThread,ZwTerminateThread,ZwClose,1_2_6CF605B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645B0 ZwSetVolumeInformationFile,1_2_6CF645B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF645A0 ZwSetUuidSeed,1_2_6CF645A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE5A2 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,1_2_6CFAE5A2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA5A0 ZwSetEvent,1_2_6CFDA5A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64590 ZwSetTimerResolution,1_2_6CF64590
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8590 ZwQueryMutant,ZwQueryMutant,1_2_6CFF8590
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64580 ZwSetTimerEx,1_2_6CF64580
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A570 RtlWakeAllConditionVariable,ZwAlertThreadByThreadId,RtlWakeAllConditionVariable,1_2_6CF5A570
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C570 RtlSetUserCallbackExceptionFilter,RtlSetUserCallbackExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,1_2_6CF5C570
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64570 ZwSetTimer2,1_2_6CF64570
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64560 ZwSetThreadExecutionState,1_2_6CF64560
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8560 ZwQueryEvent,1_2_6CFF8560
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64550 ZwSetSystemTime,1_2_6CF64550
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64540 ZwSetSystemPowerState,1_2_6CF64540
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC540 RtlWaitForWnfMetaNotification,ZwQueryWnfStateNameInformation,ZwQueryWnfStateNameInformation,ZwCreateEvent,RtlRegisterForWnfMetaNotification,_allmul,ZwWaitForSingleObject,RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,1_2_6CFAC540
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64530 ZwSetSystemInformation,1_2_6CF64530
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64520 ZwSetSystemEnvironmentValueEx,1_2_6CF64520
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64510 ZwSetSystemEnvironmentValue,1_2_6CF64510
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64500 ZwSetSecurityObject,1_2_6CF64500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 TpTrimPools,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlSleepConditionVariableSRW,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForMultipleObjects,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646F0 ZwUnloadDriver,1_2_6CF646F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E6F2 ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,1_2_6CF9E6F2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646E0 ZwUmsThreadYield,1_2_6CF646E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA6E0 RtlWow64IsWowGuestMachineSupported,ZwQuerySystemInformationEx,_alloca_probe_16,ZwQuerySystemInformationEx,1_2_6CFAA6E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646D0 ZwTranslateFilePath,1_2_6CF646D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A6C7 RtlAllocateHeap,memcpy,ZwFreeVirtualMemory,1_2_6CF5A6C7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646C0 ZwTraceControl,1_2_6CF646C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646B0 ZwThawTransactions,1_2_6CF646B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646A0 ZwThawRegistry,1_2_6CF646A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB2699 memset,memset,ZwCreateUserProcess,1_2_6CFB2699
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64690 ZwTestAlert,1_2_6CF64690
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA690 RtlWow64GetSharedInfoProcess,ZwQueryInformationProcess,ZwReadVirtualMemory,1_2_6CFAA690
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64680 ZwTerminateJobObject,1_2_6CF64680
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8680 ZwQueryInformationThread,ZwQueryInformationThread,1_2_6CFF8680
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64670 ZwTerminateEnclave,1_2_6CF64670
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64660 ZwSystemDebugControl,1_2_6CF64660
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64650 ZwSuspendThread,1_2_6CF64650
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC6650 RtlpVerifyAndCommitUILanguageSettings,memset,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,ZwGetMUIRegistryInfo,ZwShutdownSystem,1_2_6CFC6650
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA650 ZwQueryInformationProcess,RtlRaiseStatus,1_2_6CFDA650
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8650 ZwQuerySemaphore,1_2_6CFF8650
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64640 ZwSuspendProcess,1_2_6CF64640
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6640 RtlSleepConditionVariableCS,RtlLeaveCriticalSection,ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,RtlEnterCriticalSection,1_2_6CFD6640
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60634 ZwCreateThreadEx,ZwClose,1_2_6CF60634
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64630 ZwSubscribeWnfStateChange,1_2_6CF64630
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58620 ZwQueryInformationThread,ZwQueryInformationThread,RtlAcquireSRWLockShared,RtlApplicationVerifierStop,1_2_6CF58620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64620 ZwStopProfile,1_2_6CF64620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C62A RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose,1_2_6CF1C62A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDC620 RtlpRefreshCachedUILanguage,ZwQueryInstallUILanguage,RtlInitUnicodeString,RtlCultureNameToLCID,ZwFlushInstallUILanguage,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,ZwFlushInstallUILanguage,ZwGetMUIRegistryInfo,1_2_6CFDC620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8620 ZwQuerySection,1_2_6CFF8620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64610 ZwStartProfile,1_2_6CF64610
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64600 ZwSinglePhaseReject,1_2_6CF64600
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647F0 ZwLoadKey3,1_2_6CF647F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647E0 ZwWaitLowEventPair,1_2_6CF647E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647D0 ZwWaitHighEventPair,1_2_6CF647D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647C0 ZwWaitForWorkViaWorkerFactory,1_2_6CF647C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA07C3 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,EtwEventRegister,EtwEventWrite,EtwNotificationUnregister,ZwRaiseException,1_2_6CFA07C3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA67C0 RtlNewSecurityGrantedAccess,ZwQueryInformationToken,RtlMapGenericMask,ZwPrivilegeCheck,1_2_6CFA67C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647B0 ZwWaitForKeyedEvent,1_2_6CF647B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA7B0 RtlDecodeRemotePointer,ZwQueryInformationProcess,1_2_6CFAA7B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF167BF memset,ZwTerminateProcess,1_2_6CF167BF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF647A0 ZwWaitForDebugEvent,1_2_6CF647A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD47A0 RtlHeapTrkInitialize,ZwMapViewOfSection,ZwQueryPerformanceCounter,RtlCreateHeap,RtlSetHeapInformation,RtlAllocateHeap,RtlAllocateHeap,ZwUnmapViewOfSection,RtlDestroyHeap,ZwUnmapViewOfSection,ZwClose,1_2_6CFD47A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64790 ZwWaitForAlertByThreadId,1_2_6CF64790
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64780 ZwVdmControl,1_2_6CF64780
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC8785 ZwAllocateVirtualMemory,ZwDuplicateObject,ZwWriteVirtualMemory,ZwTerminateThread,ZwClose,ZwFreeVirtualMemory,ZwResumeThread,ZwWaitForSingleObject,ZwClose,ZwReadVirtualMemory,1_2_6CFC8785
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64770 ZwUpdateWnfStateData,1_2_6CF64770
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A760 EtwSetMark,ZwTraceEvent,RtlNtStatusToDosError,1_2_6CF1A760
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64760 ZwUnsubscribeWnfStateChange,1_2_6CF64760
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64750 ZwUnmapViewOfSectionEx,1_2_6CF64750
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A740 ZwClose,RtlFreeHeap,1_2_6CF1A740
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64740 ZwUnlockVirtualMemory,1_2_6CF64740
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60735 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,1_2_6CF60735
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64730 ZwUnlockFile,1_2_6CF64730
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9C730 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess,1_2_6CF9C730
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64720 ZwUnloadKeyEx,1_2_6CF64720
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF50710 RtlAllocateHandle,RtlReAllocateHeap,RtlAllocateHandle,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,1_2_6CF50710
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64710 ZwUnloadKey2,1_2_6CF64710
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64700 ZwUnloadKey,1_2_6CF64700
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6700 RtlNewInstanceSecurityObject,ZwQueryInformationToken,1_2_6CFA6700
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF620F0 RtlPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,RtlPublishWnfStateData,1_2_6CF620F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640F0 ZwRaiseException,1_2_6CF640F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640E0 ZwQueueApcThreadEx,1_2_6CF640E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E0E0 LdrCreateEnclave,ZwCreateEnclave,LdrCreateEnclave,1_2_6CF9E0E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB40DA ZwQueryVirtualMemory,1_2_6CFB40DA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA20DE ZwRaiseHardError,1_2_6CFA20DE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640D0 ZwQueryWnfStateNameInformation,1_2_6CF640D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF220DA ZwOpenThreadToken,ZwSetInformationThread,ZwClose,1_2_6CF220DA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E0DF ZwDelayExecution,1_2_6CF5E0DF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA0D1 ZwDeviceIoControlFile,1_2_6CFFA0D1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C0C2 ZwAlertThreadByThreadId,1_2_6CF1C0C2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA40C9 ZwTerminateProcess,RtlLeaveCriticalSection,1_2_6CFA40C9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640C0 ZwQueryWnfStateData,1_2_6CF640C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC0C0 RtlInitUnicodeString,ZwQueryValueKey,1_2_6CFAC0C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE60B8 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,1_2_6CFE60B8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640B0 ZwQueryTimerResolution,1_2_6CF640B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF640A0 ZwQuerySystemInformationEx,1_2_6CF640A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E0A0 DbgUiWaitStateChange,ZwWaitForDebugEvent,1_2_6CF9E0A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB40A7 ZwSetInformationFile,1_2_6CFB40A7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64090 ZwQuerySystemEnvironmentValueEx,1_2_6CF64090
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C080 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,1_2_6CF5C080
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64080 ZwQuerySystemEnvironmentValue,1_2_6CF64080
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5608F ZwOpenKey,ZwCreateKey,1_2_6CF5608F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA8080 ZwReadVirtualMemory,1_2_6CFA8080
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A073 RtlInitUnicodeString,RtlInitAnsiString,RtlAnsiStringToUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,ZwRaiseHardError,RtlRaiseStatus,EtwTraceMessageVa,RtlNtStatusToDosError,1_2_6CF5A073
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64070 ZwQuerySymbolicLinkObject,1_2_6CF64070
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E070 DbgUiStopDebugging,ZwRemoveProcessDebug,1_2_6CF9E070
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF46060 RtlCheckTokenMembershipEx,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,RtlSetGroupSecurityDescriptor,RtlCreateAcl,RtlInitializeSidEx,RtlSetDaclSecurityDescriptor,ZwAccessCheck,RtlInitializeSidEx,ZwOpenThreadTokenEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwClose,ZwClose,RtlCheckTokenMembershipEx,1_2_6CF46060
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64060 ZwQuerySemaphore,1_2_6CF64060
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA060 RtlOsDeploymentState,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,1_2_6CFDA060
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64050 ZwQuerySecurityPolicy,1_2_6CF64050
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56045 ZwClose,1_2_6CF56045
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64040 ZwQuerySecurityObject,1_2_6CF64040
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4043 ZwOpenFile,ZwQueryVirtualMemory,ZwOpenFile,1_2_6CFA4043
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC03E RtlInitUnicodeString,ZwOpenKey,ZwClose,1_2_6CFAC03E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64030 ZwQuerySecurityAttributesToken,1_2_6CF64030
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64020 ZwQueryQuotaInformationFile,1_2_6CF64020
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64010 ZwQueryPortInformationProcess,1_2_6CF64010
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64000 ZwQueryOpenSubKeysEx,1_2_6CF64000
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4003 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwSetInformationJobObject,ZwQueryInformationJobObject,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,1_2_6CFF4003
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,1_2_6CF5C1F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641F0 ZwReplyWaitReplyPort,1_2_6CF641F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF81F0 ZwQueryVirtualMemory,ZwPssCaptureVaSpaceBulk,ZwQueryVirtualMemory,1_2_6CFF81F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641E0 ZwReplacePartitionUnit,1_2_6CF641E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA41E2 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,1_2_6CFA41E2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF61E5 RtlGetCurrentServiceSessionId,ZwTraceEvent,1_2_6CFF61E5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641D0 ZwReplaceKey,1_2_6CF641D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC01D0 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,1_2_6CFC01D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD41CB ZwQueryVirtualMemory,bsearch_s,1_2_6CFD41CB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641C0 ZwRenameTransactionManager,1_2_6CF641C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE61C3 RtlAllocateHeap,ZwQueryWnfStateData,ZwUpdateWnfStateData,RtlFreeHeap,1_2_6CFE61C3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA1C0 RtlQueryValidationRunlevel,ZwOpenKey,ZwQueryValueKey,ZwClose,1_2_6CFDA1C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF41C0 TpQueryPoolStackInformation,ZwQueryInformationWorkerFactory,1_2_6CFF41C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641B0 ZwRenameKey,1_2_6CF641B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA1B6 ZwCreateFile,1_2_6CFFA1B6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF641A0 ZwRemoveProcessDebug,1_2_6CF641A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF541A2 ZwAlertThreadByThreadId,1_2_6CF541A2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA019F RtlGetCurrentServiceSessionId,RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,1_2_6CFA019F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A197 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,1_2_6CF1A197
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64190 ZwRemoveIoCompletionEx,1_2_6CF64190
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E190 RtlFreeUserStack,ZwFreeVirtualMemory,1_2_6CF9E190
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2819E ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationObject,ZwSetInformationThread,ZwAdjustPrivilegesToken,ZwSetInformationThread,1_2_6CF2819E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2419F ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,1_2_6CF2419F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60185 ZwQuerySystemInformation,EtwpCreateEtwThread,RtlNtStatusToDosError,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,1_2_6CF60185
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64180 ZwReleaseWorkerFactoryWorker,1_2_6CF64180
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF6187 ZwSetInformationThread,memset,RtlRaiseException,1_2_6CFF6187
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64170 ZwReleaseKeyedEvent,1_2_6CF64170
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA417C ZwRaiseHardError,1_2_6CFA417C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64160 ZwRegisterThreadTerminatePort,1_2_6CF64160
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62160 RtlCreateUserStack,RtlImageNtHeader,ZwSetInformationProcess,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlFreeUserStack,RtlCreateUserStack,RtlCreateUserStack,RtlCreateUserStack,1_2_6CF62160
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA160 RtlGetNtSystemRoot,ZwClose,1_2_6CFFA160
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64150 ZwRegisterProtocolAddressInformation,1_2_6CF64150
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26154 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlAllocateHeap,ZwDuplicateObject,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlWakeConditionVariable,1_2_6CF26154
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4215F ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor,1_2_6CF4215F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64140 ZwRecoverTransactionManager,1_2_6CF64140
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA140 RtlQueryTokenHostIdAsUlong64,ZwQuerySecurityAttributesToken,1_2_6CFDA140
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF8142 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwQueryVirtualMemory,1_2_6CFF8142
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB4144 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDetermineDosPathNameType_U,RtlDosPathNameToNtPathName_U,ZwQueryAttributesFile,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,1_2_6CFB4144
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA013A ZwOpenKeyEx,ZwClose,1_2_6CFA013A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64130 ZwRecoverResourceManager,1_2_6CF64130
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC137 ZwQueryVirtualMemory,ZwQuerySystemInformation,ZwAllocateVirtualMemory,ZwProtectVirtualMemory,1_2_6CFAC137
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64120 ZwRecoverEnlistment,1_2_6CF64120
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA11F ZwClose,1_2_6CFDA11F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64110 ZwReadOnlyEnlistment,1_2_6CF64110
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22102 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,1_2_6CF22102
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCE10E ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFreeHeap,RtlGetDaclSecurityDescriptor,RtlGetOwnerSecurityDescriptor,RtlEqualSid,RtlGetAce,RtlEqualSid,ZwSetSecurityObject,RtlSelfRelativeToAbsoluteSD2,RtlAllocateHeap,memcpy,RtlFreeHeap,RtlSelfRelativeToAbsoluteSD2,RtlFreeHeap,RtlSetOwnerSecurityDescriptor,RtlSetDaclSecurityDescriptor,RtlMakeSelfRelativeSD,RtlAllocateHeap,RtlMakeSelfRelativeSD,RtlFreeHeap,ZwSetSecurityObject,RtlFreeHeap,1_2_6CFCE10E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64100 ZwRaiseHardError,1_2_6CF64100
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA8100 RtlSetProcessDebugInformation,ZwUnmapViewOfSection,RtlExitUserThread,1_2_6CFA8100
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62AE0: ZwDeviceIoControlFile,1_2_6CF62AE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF646F0 ZwUnloadDriver,1_2_6CF646F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00401FA51_2_00401FA5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_004020751_2_00402075
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_004016C01_2_004016C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20CF21_2_6CF20CF2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB51_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30C001_2_6CF30C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF38DC01_2_6CF38DC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48DBF1_2_6CF48DBF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCCD1F1_2_6CFCCD1F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3AD001_2_6CF3AD00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEEEDB1_2_6CFEEEDB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFECE931_2_6CFECE93
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30E591_2_6CF30E59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEEE261_2_6CFEEE26
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22FC81_2_6CF22FC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAEFA01_2_6CFAEFA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4F401_2_6CFA4F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF50F301_2_6CF50F30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD2F301_2_6CFD2F30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF72F281_2_6CF72F28
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F01_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E8F01_2_6CF5E8F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF168B81_2_6CF168B8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF688901_2_6CF68890
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDC87C1_2_6CFDC87C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3A8401_2_6CF3A840
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A01_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFA9A61_2_6CFFA9A6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF469621_2_6CF46962
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA801_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE6BD71_2_6CFE6BD7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEEB891_2_6CFEEB89
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEAB401_2_6CFEAB40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDE4F61_2_6CFDE4F6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE24461_2_6CFE2446
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD44201_2_6CFD4420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF05911_2_6CFF0591
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4C6E01_2_6CF4C6E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF547501_2_6CF54750
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC20001_2_6CFC2000
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE81CC1_2_6CFE81CC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF01AA1_2_6CFF01AA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE41A21_2_6CFE41A2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB81581_2_6CFB8158
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCA1181_2_6CFCA118
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF201001_2_6CF20100
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB02C01_2_6CFB02C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD02741_2_6CFD0274
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E3F01_2_6CF3E3F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF03E61_2_6CFF03E6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEFCF21_2_6CFEFCF2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA9C321_2_6CFA9C32
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF49C201_2_6CF49C20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4FDC01_2_6CF4FDC0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE7D731_2_6CFE7D73
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE1D5A1_2_6CFE1D5A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF39EB01_2_6CF39EB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CEF3FD51_2_6CEF3FD5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CEF3FD21_2_6CEF3FD2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEFFB11_2_6CFEFFB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF31F921_2_6CF31F92
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEFF091_2_6CFEFF09
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF338E01_2_6CF338E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9D8001_2_6CF9D800
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF359901_2_6CF35990
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4B9501_2_6CF4B950
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC59101_2_6CFC5910
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDDAC61_2_6CFDDAC6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCDAAC1_2_6CFCDAAC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF75AA01_2_6CF75AA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD1AA31_2_6CFD1AA3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA3A6C1_2_6CFA3A6C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEFA491_2_6CFEFA49
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE7A461_2_6CFE7A46
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA5BF01_2_6CFA5BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6DBF91_2_6CF6DBF9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4FB801_2_6CF4FB80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEFB761_2_6CFEFB76
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF214601_2_6CF21460
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEF43F1_2_6CFEF43F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF95C31_2_6CFF95C3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCD5B01_2_6CFCD5B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE75711_2_6CFE7571
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE16CC1_2_6CFE16CC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF756301_2_6CF75630
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB97EA1_2_6CFB97EA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF217EC1_2_6CF217EC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEF7B01_2_6CFEF7B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCD7101_2_6CFCD710
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE70E91_2_6CFE70E9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEF0E01_2_6CFEF0E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDF0CC1_2_6CFDF0CC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3B1B01_2_6CF3B1B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1F1721_2_6CF1F172
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFFB16B1_2_6CFFB16B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6516C1_2_6CF6516C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4D2F01_2_6CF4D2F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD12ED1_2_6CFD12ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4B2C01_2_6CF4B2C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF352A01_2_6CF352A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE132D1_2_6CFE132D
                Source: C:\Windows\explorer.exeCode function: 2_2_087C40D42_2_087C40D4
                Source: C:\Windows\explorer.exeCode function: 2_2_087C25C42_2_087C25C4
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 11_2_00401FA511_2_00401FA5
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 11_2_0040207511_2_00402075
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 11_2_004016C011_2_004016C0
                Source: C:\Windows\explorer.exeCode function: 12_2_0AB340D412_2_0AB340D4
                Source: C:\Windows\explorer.exeCode function: 12_2_0AB325C412_2_0AB325C4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CF9EA12 appears 78 times
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CF1B970 appears 249 times
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CF77EB0 appears 34 times
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CF77E54 appears 140 times
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CFAF290 appears 103 times
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: String function: 6CF65130 appears 53 times
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 10488
                Source: D47F.tmp.1.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
                Source: D47F.tmp.1.drStatic PE information: No import functions for PE file found
                Source: 2019-09-02_22-41-10.exe, 00000001.00000002.1933861183.000000006D01D000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2019-09-02_22-41-10.exe
                Source: 2019-09-02_22-41-10.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0000000C.00000002.2087767658.000000000AB31000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000B.00000003.2023745878.0000000001F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000A.00000002.1973410922.0000000000AEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.1697423572.000000000096C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000001.00000003.1767242540.0000000002050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000002.00000002.1979742507.00000000087C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.evad.winEXE@17/31@3/3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: RtlCreateServiceSid,RtlUpcaseUnicodeString,A_SHAInit,A_SHAUpdate,A_SHAFinal,RtlFreeUnicodeString,RtlInitializeSid,RtlCreateServiceSid,1_2_6CF1C230
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_0096D750 CreateToolhelp32Snapshot,Module32First,0_2_0096D750
                Source: C:\Windows\explorer.exeCode function: 2_2_087C38E4 CoCreateInstance,2_2_087C38E4
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tjhvihcJump to behavior
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3580
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3680
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2852
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3656
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeFile created: C:\Users\user\AppData\Local\Temp\D47F.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: 2019-09-02_22-41-10.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 2019-09-02_22-41-10.exeVirustotal: Detection: 79%
                Source: 2019-09-02_22-41-10.exeReversingLabs: Detection: 84%
                Source: unknownProcess created: C:\Users\user\Desktop\2019-09-02_22-41-10.exe "C:\Users\user\Desktop\2019-09-02_22-41-10.exe"
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeProcess created: C:\Users\user\Desktop\2019-09-02_22-41-10.exe "C:\Users\user\Desktop\2019-09-02_22-41-10.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 10488
                Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\user\AppData\Roaming\jvajahs" scrobj
                Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Users\user\AppData\Roaming\tjhvihc C:/Users/user/AppData/Roaming/tjhvihc
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess created: C:\Users\user\AppData\Roaming\tjhvihc C:/Users/user/AppData/Roaming/tjhvihc
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2852 -s 7452
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3656 -s 7880
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3680 -s 6824
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3580 -s 3364
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeProcess created: C:\Users\user\Desktop\2019-09-02_22-41-10.exe "C:\Users\user\Desktop\2019-09-02_22-41-10.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess created: C:\Users\user\AppData\Roaming\tjhvihc C:/Users/user/AppData/Roaming/tjhvihcJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: esdsip.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.graphics.display.displaycolormanagement.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\explorer.exeSection loaded: slc.dll
                Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\explorer.exeSection loaded: idstore.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
                Source: C:\Windows\explorer.exeSection loaded: samcli.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\explorer.exeSection loaded: winsta.dll
                Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
                Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
                Source: C:\Windows\explorer.exeSection loaded: devobj.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
                Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
                Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
                Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
                Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
                Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
                Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\explorer.exeSection loaded: appextension.dll
                Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
                Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
                Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
                Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
                Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
                Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
                Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
                Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
                Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
                Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
                Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
                Source: C:\Windows\explorer.exeSection loaded: edputil.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
                Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
                Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
                Source: C:\Windows\explorer.exeSection loaded: cdp.dll
                Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
                Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
                Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
                Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
                Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
                Source: C:\Windows\explorer.exeSection loaded: secur32.dll
                Source: C:\Windows\explorer.exeSection loaded: version.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
                Source: C:\Windows\explorer.exeSection loaded: cscui.dll
                Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
                Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
                Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
                Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.dll
                Source: C:\Windows\explorer.exeSection loaded: pdh.dll
                Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
                Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
                Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
                Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
                Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
                Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: npsm.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
                Source: C:\Windows\explorer.exeSection loaded: mscms.dll
                Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
                Source: C:\Windows\explorer.exeSection loaded: tdh.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
                Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
                Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
                Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dll
                Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
                Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
                Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                Source: C:\Windows\explorer.exeSection loaded: icu.dll
                Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
                Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
                Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
                Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
                Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
                Source: C:\Windows\explorer.exeSection loaded: stobject.dll
                Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
                Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\explorer.exeSection loaded: schannel.dll
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
                Source: C:\Windows\explorer.exeSection loaded: container.dll
                Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
                Source: C:\Windows\explorer.exeSection loaded: sxs.dll
                Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
                Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
                Source: C:\Windows\explorer.exeSection loaded: es.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
                Source: C:\Windows\explorer.exeSection loaded: dxp.dll
                Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
                Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
                Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
                Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
                Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
                Source: C:\Windows\explorer.exeSection loaded: audioses.dll
                Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
                Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
                Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
                Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
                Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
                Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
                Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
                Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
                Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\explorer.exeSection loaded: slc.dll
                Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                Source: C:\Windows\explorer.exeSection loaded: idstore.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
                Source: C:\Windows\explorer.exeSection loaded: samcli.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\explorer.exeSection loaded: winsta.dll
                Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
                Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
                Source: C:\Windows\explorer.exeSection loaded: devobj.dll
                Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
                Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                Source: C:\Windows\explorer.exeSection loaded: appextension.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
                Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
                Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
                Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
                Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
                Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
                Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
                Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
                Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
                Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
                Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
                Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
                Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
                Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
                Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
                Source: C:\Windows\explorer.exeSection loaded: cdp.dll
                Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
                Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
                Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 2019-09-02_22-41-10.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\huzufawapijoh_fabujavonud39_mihugimosomofexepag-vatipado.pdb source: 2019-09-02_22-41-10.exe, 00000000.00000000.1695657326.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000000.00000002.1696872056.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000001.00000000.1696431506.000000000041F000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000002.00000002.1997339406.000000000CBB3000.00000004.00000001.00020000.00000000.sdmp, tjhvihc, 0000000A.00000000.1970022159.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000A.00000002.1972292048.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000B.00000000.1971431119.000000000041F000.00000002.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: 2019-09-02_22-41-10.exe, 00000001.00000002.1933713701.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, tjhvihc, 0000000B.00000002.2953296719.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdb source: 2019-09-02_22-41-10.exe, 2019-09-02_22-41-10.exe, 00000001.00000002.1933713701.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, tjhvihc, 0000000B.00000002.2953296719.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp
                Source: Binary string: EC:\huzufawapijoh_fabujavonud39_mihugimosomofexepag-vatipado.pdb.pdb source: 2019-09-02_22-41-10.exe, 00000000.00000000.1695657326.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000000.00000002.1696872056.000000000041F000.00000002.00000001.01000000.00000003.sdmp, 2019-09-02_22-41-10.exe, 00000001.00000000.1696431506.000000000041F000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000002.00000002.1997339406.000000000CBB3000.00000004.00000001.00020000.00000000.sdmp, tjhvihc, 0000000A.00000000.1970022159.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000A.00000002.1972292048.000000000041F000.00000002.00000001.01000000.00000009.sdmp, tjhvihc, 0000000B.00000000.1971431119.000000000041F000.00000002.00000001.01000000.00000009.sdmp
                Source: 2019-09-02_22-41-10.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 2019-09-02_22-41-10.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 2019-09-02_22-41-10.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 2019-09-02_22-41-10.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 2019-09-02_22-41-10.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeUnpacked PE file: 1.2.2019-09-02_22-41-10.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\tjhvihcUnpacked PE file: 11.2.tjhvihc.400000.0.unpack .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R; vs .text:EW;
                Source: D47F.tmp.1.drStatic PE information: section name: RT
                Source: D47F.tmp.1.drStatic PE information: section name: .mrdata
                Source: D47F.tmp.1.drStatic PE information: section name: .00cfg
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00915DB8 push ecx; retf 0_2_00915DD9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00913EF9 push esp; ret 0_2_00913F01
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_009142E9 push ebx; ret 0_2_009142EA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00912FEA pushfd ; retf 0_2_00912FEB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00915601 push eax; iretd 0_2_00915602
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00913A61 push cs; iretd 0_2_00913A6F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00971A96 push eax; iretd 0_2_00971A97
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_0096FECC push cs; iretd 0_2_0096FEDA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00972255 push ecx; retf 0_2_00972276
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_0097075D push ebx; ret 0_2_0097075E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_0097036C push esp; ret 0_2_00970374
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00404E61 push eax; iretd 1_2_00404E62
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00405618 push ecx; retf 1_2_00405639
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_004032C1 push cs; iretd 1_2_004032CF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00402CF2 push eax; ret 1_2_00402D87
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00403B49 push ebx; ret 1_2_00403B4A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_00403759 push esp; ret 1_2_00403761
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CEF283D push eax; iretd 1_2_6CEF2858
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF209AD push ecx; mov dword ptr [esp], ecx1_2_6CF209B6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CEF27FA pushad ; ret 1_2_6CEF27F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CEF225F pushad ; ret 1_2_6CEF27F9
                Source: C:\Windows\explorer.exeCode function: 2_2_087C1962 push es; iretd 2_2_087C1966
                Source: C:\Windows\explorer.exeCode function: 2_2_087C1A28 push esi; retf 2_2_087C1A1C
                Source: C:\Windows\explorer.exeCode function: 2_2_087C191A push ebx; retf 2_2_087C1920
                Source: C:\Windows\explorer.exeCode function: 2_2_087C18FD push ebx; retf 2_2_087C1903
                Source: C:\Windows\explorer.exeCode function: 2_2_087C19EA push esi; retf 2_2_087C1A1C
                Source: C:\Windows\explorer.exeCode function: 2_2_087C1AD1 push ebp; retf 2_2_087C1AD3
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 10_2_00A75DB8 push ecx; retf 10_2_00A75DD9
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 10_2_00A72FEA pushfd ; retf 10_2_00A72FEB
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 10_2_00A742E9 push ebx; ret 10_2_00A742EA
                Source: C:\Users\user\AppData\Roaming\tjhvihcCode function: 10_2_00A73EF9 push esp; ret 10_2_00A73F01
                Source: D47F.tmp.1.drStatic PE information: section name: .text entropy: 6.844715065913507

                Persistence and Installation Behavior

                barindex
                Creates processes via WMI
                Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tjhvihcJump to dropped file
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeFile created: C:\Users\user\AppData\Local\Temp\D47F.tmpJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tjhvihcJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                DLL reload attack detected
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeModule Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\D47F.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
                Source: C:\Users\user\AppData\Roaming\tjhvihcModule Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\D47F.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\2019-09-02_22-41-10.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\tjhvihc:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Renames NTDLL to bypass HIPS
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
                Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 rdtsc 1_2_6CF228F0
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 441Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 461Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 459Jump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D47F.tmpJump to dropped file
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeAPI coverage: 0.4 %
                Source: C:\Windows\explorer.exe TID: 5756Thread sleep count: 441 > 30Jump to behavior
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: explorer.exe, 0000001F.00000003.2302921918.000000000BD65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: explorer.exe, 00000013.00000003.2124034762.0000000009825000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2121432051.0000000009825000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2156620458.0000000009825000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2120260349.0000000009825000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.2119441278.0000000009825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
                Source: explorer.exe, 00000013.00000003.2126759965.0000000009942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tC
                Source: explorer.exe, 00000019.00000002.2228035816.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000K
                Source: explorer.exe, 00000013.00000002.2156620458.00000000097EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000008
                Source: explorer.exe, 00000013.00000002.2156620458.000000000987D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000 A
                Source: explorer.exe, 00000013.00000002.2156620458.00000000097EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000&N%\
                Source: explorer.exe, 00000019.00000003.2163153656.00000000082BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: explorer.exe, 0000001F.00000003.2276609803.00000000093EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000002.00000000.1752635070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1980816073.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1980816073.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.00000000080EB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2036616353.000000000813B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035148568.00000000080EB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2039871787.00000000080EB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2077008779.000000000813B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2033654829.00000000080EB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2035031048.000000000813D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000002.00000002.1983339384.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000013.00000003.2126759965.0000000009942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000013.00000003.2127044768.000000000BBAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000D&N%\
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
                Source: explorer.exe, 00000019.00000003.2163153656.00000000082BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}L\_(
                Source: explorer.exe, 00000019.00000002.2229950700.0000000004EF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
                Source: explorer.exe, 00000019.00000003.2184609024.000000000840E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 0000001F.00000002.2352707873.000000000955B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                Source: explorer.exe, 00000013.00000002.2156620458.00000000097EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000@v
                Source: explorer.exe, 0000001F.00000003.2246831486.0000000007EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                Source: explorer.exe, 0000001F.00000003.2294604182.000000000BCFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: explorer.exe, 00000013.00000002.2156620458.00000000097EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000000@v
                Source: explorer.exe, 00000019.00000003.2163153656.00000000082BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\,
                Source: explorer.exe, 00000002.00000002.1977661134.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                Source: explorer.exe, 0000001F.00000002.2352707873.000000000955B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000008<
                Source: explorer.exe, 0000001F.00000003.2302921918.000000000BD65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: explorer.exe, 0000001F.00000003.2276609803.00000000093EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
                Source: explorer.exe, 00000002.00000002.1980816073.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                Source: explorer.exe, 0000001F.00000003.2302921918.000000000BD65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                Source: explorer.exe, 0000001F.00000003.2276609803.00000000093F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.infvid.devicedescMicrosoft Hyper-V Virtualization Infrastructure Driverwvid.inf
                Source: explorer.exe, 00000002.00000000.1750070183.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1977661134.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                Source: explorer.exe, 0000000C.00000002.2077008779.0000000007E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
                Source: explorer.exe, 00000002.00000002.1980816073.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                Source: explorer.exe, 0000001F.00000002.2360834828.000000000BC70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 0000001F.00000003.2246831486.0000000007EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.1753437402.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 0000001F.00000003.2246831486.0000000007EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                Source: explorer.exe, 00000019.00000003.2163153656.00000000082BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}("
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
                Source: explorer.exe, 00000002.00000002.1973634434.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                Source: explorer.exe, 00000002.00000000.1750070183.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000013.00000003.2119773130.00000000096CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2i
                Source: explorer.exe, 00000019.00000002.2229950700.0000000004EF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse000C:\Windows\System32\DDORes.dll,-2212txy
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e
                Source: explorer.exe, 0000001F.00000003.2301455243.000000000952C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##g;7p
                Source: explorer.exe, 00000019.00000002.2234296584.0000000008280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
                Source: explorer.exe, 00000019.00000002.2228035816.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
                Source: explorer.exe, 00000013.00000003.2085619718.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\
                Source: explorer.exe, 0000001F.00000003.2301660562.000000000BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                Source: explorer.exe, 0000000C.00000003.1987313099.0000000006EB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\c
                Source: explorer.exe, 0000000C.00000003.1987313099.0000000006EB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                Source: explorer.exe, 0000001F.00000003.2278949396.0000000009339000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\W
                Source: explorer.exe, 00000002.00000002.1977661134.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                Source: explorer.exe, 00000002.00000002.1980816073.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                Source: explorer.exe, 0000001F.00000002.2352707873.000000000955B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 0000001F.00000003.2246831486.0000000007EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 0000001F.00000003.2246831486.0000000007EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
                Source: explorer.exe, 0000001F.00000003.2276609803.00000000093EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
                Source: explorer.exe, 0000000C.00000002.2075525076.0000000006E3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTndVMWare
                Source: explorer.exe, 00000019.00000002.2234296584.00000000083B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                Source: explorer.exe, 0000001F.00000002.2326063084.00000000012E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Y
                Source: explorer.exe, 00000013.00000002.2155054209.0000000007ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXT\PVMWare
                Source: explorer.exe, 00000019.00000002.2228035816.0000000001199000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
                Source: explorer.exe, 0000000C.00000002.2075525076.0000000006D19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%%''(())
                Source: explorer.exe, 0000001F.00000003.2302921918.000000000BD65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 0000001F.00000002.2326063084.00000000012E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Q
                Source: explorer.exe, 00000013.00000002.2148068915.0000000001224000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 00000019.00000003.2184609024.000000000840E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
                Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSystem information queried: CodeIntegrityInformationJump to behavior
                Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAF340 DbgSetDebugFilterState,1_2_6CFAF340
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 rdtsc 1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62C70 ZwFreeVirtualMemory,LdrInitializeThunk,1_2_6CF62C70
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,1_2_6CFA6FE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00910042 push dword ptr fs:[00000030h]0_2_00910042
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_0096D02D push dword ptr fs:[00000030h]0_2_0096D02D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52CF0 mov eax, dword ptr fs:[00000030h]1_2_6CF52CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52CF0 mov eax, dword ptr fs:[00000030h]1_2_6CF52CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52CF0 mov eax, dword ptr fs:[00000030h]1_2_6CF52CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52CF0 mov eax, dword ptr fs:[00000030h]1_2_6CF52CF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18CD0 mov eax, dword ptr fs:[00000030h]1_2_6CF18CD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CCC8 mov eax, dword ptr fs:[00000030h]1_2_6CF1CCC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48CB1 mov eax, dword ptr fs:[00000030h]1_2_6CF48CB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48CB1 mov eax, dword ptr fs:[00000030h]1_2_6CF48CB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD0CB5 mov eax, dword ptr fs:[00000030h]1_2_6CFD0CB5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CCA0 mov ecx, dword ptr fs:[00000030h]1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CCA0 mov eax, dword ptr fs:[00000030h]1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CCA0 mov eax, dword ptr fs:[00000030h]1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CCA0 mov eax, dword ptr fs:[00000030h]1_2_6CF9CCA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18C8D mov eax, dword ptr fs:[00000030h]1_2_6CF18C8D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAC60 mov eax, dword ptr fs:[00000030h]1_2_6CFBAC60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAC60 mov eax, dword ptr fs:[00000030h]1_2_6CFBAC60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2AC50 mov eax, dword ptr fs:[00000030h]1_2_6CF2AC50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26C50 mov eax, dword ptr fs:[00000030h]1_2_6CF26C50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26C50 mov eax, dword ptr fs:[00000030h]1_2_6CF26C50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26C50 mov eax, dword ptr fs:[00000030h]1_2_6CF26C50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54C59 mov eax, dword ptr fs:[00000030h]1_2_6CF54C59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov eax, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4C34 mov ecx, dword ptr fs:[00000030h]1_2_6CFC4C34
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EC20 mov eax, dword ptr fs:[00000030h]1_2_6CF1EC20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBCC20 mov eax, dword ptr fs:[00000030h]1_2_6CFBCC20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBCC20 mov eax, dword ptr fs:[00000030h]1_2_6CFBCC20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30C00 mov eax, dword ptr fs:[00000030h]1_2_6CF30C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30C00 mov eax, dword ptr fs:[00000030h]1_2_6CF30C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30C00 mov eax, dword ptr fs:[00000030h]1_2_6CF30C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30C00 mov eax, dword ptr fs:[00000030h]1_2_6CF30C00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CC00 mov eax, dword ptr fs:[00000030h]1_2_6CF5CC00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4C0F mov eax, dword ptr fs:[00000030h]1_2_6CFA4C0F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4CDF0 mov eax, dword ptr fs:[00000030h]1_2_6CF4CDF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4CDF0 mov ecx, dword ptr fs:[00000030h]1_2_6CF4CDF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF16DF6 mov eax, dword ptr fs:[00000030h]1_2_6CF16DF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0DF0 mov eax, dword ptr fs:[00000030h]1_2_6CFC0DF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0DF0 mov eax, dword ptr fs:[00000030h]1_2_6CFC0DF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40DE1 mov eax, dword ptr fs:[00000030h]1_2_6CF40DE1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CDEA mov eax, dword ptr fs:[00000030h]1_2_6CF1CDEA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CDEA mov eax, dword ptr fs:[00000030h]1_2_6CF1CDEA
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EDD3 mov eax, dword ptr fs:[00000030h]1_2_6CF4EDD3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EDD3 mov eax, dword ptr fs:[00000030h]1_2_6CF4EDD3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4DD7 mov eax, dword ptr fs:[00000030h]1_2_6CFA4DD7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4DD7 mov eax, dword ptr fs:[00000030h]1_2_6CFA4DD7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CDB1 mov ecx, dword ptr fs:[00000030h]1_2_6CF5CDB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CDB1 mov eax, dword ptr fs:[00000030h]1_2_6CF5CDB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CDB1 mov eax, dword ptr fs:[00000030h]1_2_6CF5CDB1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48DBF mov eax, dword ptr fs:[00000030h]1_2_6CF48DBF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF48DBF mov eax, dword ptr fs:[00000030h]1_2_6CF48DBF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE8DAE mov eax, dword ptr fs:[00000030h]1_2_6CFE8DAE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE8DAE mov eax, dword ptr fs:[00000030h]1_2_6CFE8DAE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4DAD mov eax, dword ptr fs:[00000030h]1_2_6CFF4DAD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56DA0 mov eax, dword ptr fs:[00000030h]1_2_6CF56DA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB8D6B mov eax, dword ptr fs:[00000030h]1_2_6CFB8D6B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20D59 mov eax, dword ptr fs:[00000030h]1_2_6CF20D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20D59 mov eax, dword ptr fs:[00000030h]1_2_6CF20D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20D59 mov eax, dword ptr fs:[00000030h]1_2_6CF20D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28D59 mov eax, dword ptr fs:[00000030h]1_2_6CF28D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28D59 mov eax, dword ptr fs:[00000030h]1_2_6CF28D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28D59 mov eax, dword ptr fs:[00000030h]1_2_6CF28D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28D59 mov eax, dword ptr fs:[00000030h]1_2_6CF28D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28D59 mov eax, dword ptr fs:[00000030h]1_2_6CF28D59
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4D30 mov eax, dword ptr fs:[00000030h]1_2_6CFF4D30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA8D20 mov eax, dword ptr fs:[00000030h]1_2_6CFA8D20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF16D10 mov eax, dword ptr fs:[00000030h]1_2_6CF16D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF16D10 mov eax, dword ptr fs:[00000030h]1_2_6CF16D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF16D10 mov eax, dword ptr fs:[00000030h]1_2_6CF16D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54D1D mov eax, dword ptr fs:[00000030h]1_2_6CF54D1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD8D10 mov eax, dword ptr fs:[00000030h]1_2_6CFD8D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD8D10 mov eax, dword ptr fs:[00000030h]1_2_6CFD8D10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3AD00 mov eax, dword ptr fs:[00000030h]1_2_6CF3AD00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3AD00 mov eax, dword ptr fs:[00000030h]1_2_6CF3AD00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3AD00 mov eax, dword ptr fs:[00000030h]1_2_6CF3AD00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58EF5 mov eax, dword ptr fs:[00000030h]1_2_6CF58EF5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26EE0 mov eax, dword ptr fs:[00000030h]1_2_6CF26EE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26EE0 mov eax, dword ptr fs:[00000030h]1_2_6CF26EE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26EE0 mov eax, dword ptr fs:[00000030h]1_2_6CF26EE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26EE0 mov eax, dword ptr fs:[00000030h]1_2_6CF26EE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6ED0 mov ecx, dword ptr fs:[00000030h]1_2_6CFD6ED0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAEB0 mov eax, dword ptr fs:[00000030h]1_2_6CFBAEB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFBAEB0 mov eax, dword ptr fs:[00000030h]1_2_6CFBAEB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6EB0 mov eax, dword ptr fs:[00000030h]1_2_6CFD6EB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACEA0 mov eax, dword ptr fs:[00000030h]1_2_6CFACEA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACEA0 mov eax, dword ptr fs:[00000030h]1_2_6CFACEA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACEA0 mov eax, dword ptr fs:[00000030h]1_2_6CFACEA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1AE90 mov eax, dword ptr fs:[00000030h]1_2_6CF1AE90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1AE90 mov eax, dword ptr fs:[00000030h]1_2_6CF1AE90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1AE90 mov eax, dword ptr fs:[00000030h]1_2_6CF1AE90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52E9C mov eax, dword ptr fs:[00000030h]1_2_6CF52E9C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52E9C mov ecx, dword ptr fs:[00000030h]1_2_6CF52E9C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26E71 mov eax, dword ptr fs:[00000030h]1_2_6CF26E71
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0E7F mov eax, dword ptr fs:[00000030h]1_2_6CFA0E7F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0E7F mov eax, dword ptr fs:[00000030h]1_2_6CFA0E7F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0E7F mov eax, dword ptr fs:[00000030h]1_2_6CFA0E7F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EE5A mov eax, dword ptr fs:[00000030h]1_2_6CF1EE5A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2E4F mov eax, dword ptr fs:[00000030h]1_2_6CFF2E4F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2E4F mov eax, dword ptr fs:[00000030h]1_2_6CFF2E4F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54E30 mov eax, dword ptr fs:[00000030h]1_2_6CF54E30
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6E20 mov eax, dword ptr fs:[00000030h]1_2_6CFB6E20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6E20 mov eax, dword ptr fs:[00000030h]1_2_6CFB6E20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6E20 mov ecx, dword ptr fs:[00000030h]1_2_6CFB6E20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18E1D mov eax, dword ptr fs:[00000030h]1_2_6CF18E1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58E1A mov eax, dword ptr fs:[00000030h]1_2_6CF58E1A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov ecx, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AE00 mov eax, dword ptr fs:[00000030h]1_2_6CF4AE00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60FF6 mov eax, dword ptr fs:[00000030h]1_2_6CF60FF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60FF6 mov eax, dword ptr fs:[00000030h]1_2_6CF60FF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60FF6 mov eax, dword ptr fs:[00000030h]1_2_6CF60FF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF60FF6 mov eax, dword ptr fs:[00000030h]1_2_6CF60FF6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18FF0 mov ecx, dword ptr fs:[00000030h]1_2_6CF18FF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18FF0 mov eax, dword ptr fs:[00000030h]1_2_6CF18FF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6FF7 mov eax, dword ptr fs:[00000030h]1_2_6CFD6FF7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3CFE0 mov eax, dword ptr fs:[00000030h]1_2_6CF3CFE0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4FE7 mov eax, dword ptr fs:[00000030h]1_2_6CFF4FE7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EFD8 mov eax, dword ptr fs:[00000030h]1_2_6CF1EFD8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EFD8 mov eax, dword ptr fs:[00000030h]1_2_6CF1EFD8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1EFD8 mov eax, dword ptr fs:[00000030h]1_2_6CF1EFD8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22FC8 mov eax, dword ptr fs:[00000030h]1_2_6CF22FC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22FC8 mov eax, dword ptr fs:[00000030h]1_2_6CF22FC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22FC8 mov eax, dword ptr fs:[00000030h]1_2_6CF22FC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22FC8 mov eax, dword ptr fs:[00000030h]1_2_6CF22FC8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52F98 mov eax, dword ptr fs:[00000030h]1_2_6CF52F98
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52F98 mov eax, dword ptr fs:[00000030h]1_2_6CF52F98
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CF80 mov eax, dword ptr fs:[00000030h]1_2_6CF5CF80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56F60 mov eax, dword ptr fs:[00000030h]1_2_6CF56F60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56F60 mov eax, dword ptr fs:[00000030h]1_2_6CF56F60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4F68 mov eax, dword ptr fs:[00000030h]1_2_6CFF4F68
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC2F60 mov eax, dword ptr fs:[00000030h]1_2_6CFC2F60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC2F60 mov eax, dword ptr fs:[00000030h]1_2_6CFC2F60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AF69 mov eax, dword ptr fs:[00000030h]1_2_6CF4AF69
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4AF69 mov eax, dword ptr fs:[00000030h]1_2_6CF4AF69
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF1CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CF50 mov eax, dword ptr fs:[00000030h]1_2_6CF5CF50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC0F50 mov eax, dword ptr fs:[00000030h]1_2_6CFC0F50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4F40 mov eax, dword ptr fs:[00000030h]1_2_6CFA4F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4F40 mov eax, dword ptr fs:[00000030h]1_2_6CFA4F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4F40 mov eax, dword ptr fs:[00000030h]1_2_6CFA4F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4F40 mov eax, dword ptr fs:[00000030h]1_2_6CFA4F40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4F42 mov eax, dword ptr fs:[00000030h]1_2_6CFC4F42
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EF28 mov eax, dword ptr fs:[00000030h]1_2_6CF4EF28
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22F12 mov eax, dword ptr fs:[00000030h]1_2_6CF22F12
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF64F10 mov eax, dword ptr fs:[00000030h]1_2_6CF64F10
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CF1F mov eax, dword ptr fs:[00000030h]1_2_6CF5CF1F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD6F00 mov eax, dword ptr fs:[00000030h]1_2_6CFD6F00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF228F0 mov eax, dword ptr fs:[00000030h]1_2_6CF228F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C8F9 mov eax, dword ptr fs:[00000030h]1_2_6CF5C8F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C8F9 mov eax, dword ptr fs:[00000030h]1_2_6CF5C8F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEA8E4 mov eax, dword ptr fs:[00000030h]1_2_6CFEA8E4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E8C0 mov eax, dword ptr fs:[00000030h]1_2_6CF4E8C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF08C0 mov eax, dword ptr fs:[00000030h]1_2_6CFF08C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC89D mov eax, dword ptr fs:[00000030h]1_2_6CFAC89D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20887 mov eax, dword ptr fs:[00000030h]1_2_6CF20887
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE872 mov eax, dword ptr fs:[00000030h]1_2_6CFAE872
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE872 mov eax, dword ptr fs:[00000030h]1_2_6CFAE872
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6870 mov eax, dword ptr fs:[00000030h]1_2_6CFB6870
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6870 mov eax, dword ptr fs:[00000030h]1_2_6CFB6870
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF50854 mov eax, dword ptr fs:[00000030h]1_2_6CF50854
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF24859 mov eax, dword ptr fs:[00000030h]1_2_6CF24859
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF24859 mov eax, dword ptr fs:[00000030h]1_2_6CF24859
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov eax, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov eax, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov eax, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov ecx, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov eax, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF42835 mov eax, dword ptr fs:[00000030h]1_2_6CF42835
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A830 mov eax, dword ptr fs:[00000030h]1_2_6CF5A830
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC483A mov eax, dword ptr fs:[00000030h]1_2_6CFC483A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC483A mov eax, dword ptr fs:[00000030h]1_2_6CFC483A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC810 mov eax, dword ptr fs:[00000030h]1_2_6CFAC810
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF529F9 mov eax, dword ptr fs:[00000030h]1_2_6CF529F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF529F9 mov eax, dword ptr fs:[00000030h]1_2_6CF529F9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE9E0 mov eax, dword ptr fs:[00000030h]1_2_6CFAE9E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2A9D0 mov eax, dword ptr fs:[00000030h]1_2_6CF2A9D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF549D0 mov eax, dword ptr fs:[00000030h]1_2_6CF549D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEA9D3 mov eax, dword ptr fs:[00000030h]1_2_6CFEA9D3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB69C0 mov eax, dword ptr fs:[00000030h]1_2_6CFB69C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA89B3 mov esi, dword ptr fs:[00000030h]1_2_6CFA89B3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA89B3 mov eax, dword ptr fs:[00000030h]1_2_6CFA89B3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA89B3 mov eax, dword ptr fs:[00000030h]1_2_6CFA89B3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF329A0 mov eax, dword ptr fs:[00000030h]1_2_6CF329A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF209AD mov eax, dword ptr fs:[00000030h]1_2_6CF209AD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF209AD mov eax, dword ptr fs:[00000030h]1_2_6CF209AD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4978 mov eax, dword ptr fs:[00000030h]1_2_6CFC4978
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC4978 mov eax, dword ptr fs:[00000030h]1_2_6CFC4978
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C970 mov eax, dword ptr fs:[00000030h]1_2_6CF5C970
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C970 mov eax, dword ptr fs:[00000030h]1_2_6CF5C970
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC97C mov eax, dword ptr fs:[00000030h]1_2_6CFAC97C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF46962 mov eax, dword ptr fs:[00000030h]1_2_6CF46962
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF46962 mov eax, dword ptr fs:[00000030h]1_2_6CF46962
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF46962 mov eax, dword ptr fs:[00000030h]1_2_6CF46962
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6096E mov eax, dword ptr fs:[00000030h]1_2_6CF6096E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6096E mov edx, dword ptr fs:[00000030h]1_2_6CF6096E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6096E mov eax, dword ptr fs:[00000030h]1_2_6CF6096E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A950 mov eax, dword ptr fs:[00000030h]1_2_6CF5A950
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA0946 mov eax, dword ptr fs:[00000030h]1_2_6CFA0946
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4940 mov eax, dword ptr fs:[00000030h]1_2_6CFF4940
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA892A mov eax, dword ptr fs:[00000030h]1_2_6CFA892A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB892B mov eax, dword ptr fs:[00000030h]1_2_6CFB892B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC912 mov eax, dword ptr fs:[00000030h]1_2_6CFAC912
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18918 mov eax, dword ptr fs:[00000030h]1_2_6CF18918
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18918 mov eax, dword ptr fs:[00000030h]1_2_6CF18918
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E908 mov eax, dword ptr fs:[00000030h]1_2_6CF9E908
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E908 mov eax, dword ptr fs:[00000030h]1_2_6CF9E908
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5AAEE mov eax, dword ptr fs:[00000030h]1_2_6CF5AAEE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5AAEE mov eax, dword ptr fs:[00000030h]1_2_6CF5AAEE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20AD0 mov eax, dword ptr fs:[00000030h]1_2_6CF20AD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54AD0 mov eax, dword ptr fs:[00000030h]1_2_6CF54AD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54AD0 mov eax, dword ptr fs:[00000030h]1_2_6CF54AD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF76ACC mov eax, dword ptr fs:[00000030h]1_2_6CF76ACC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF76ACC mov eax, dword ptr fs:[00000030h]1_2_6CF76ACC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF76ACC mov eax, dword ptr fs:[00000030h]1_2_6CF76ACC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28AA0 mov eax, dword ptr fs:[00000030h]1_2_6CF28AA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28AA0 mov eax, dword ptr fs:[00000030h]1_2_6CF28AA0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF76AA4 mov eax, dword ptr fs:[00000030h]1_2_6CF76AA4
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58A90 mov edx, dword ptr fs:[00000030h]1_2_6CF58A90
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2EA80 mov eax, dword ptr fs:[00000030h]1_2_6CF2EA80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4A80 mov eax, dword ptr fs:[00000030h]1_2_6CFF4A80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CA72 mov eax, dword ptr fs:[00000030h]1_2_6CF9CA72
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9CA72 mov eax, dword ptr fs:[00000030h]1_2_6CF9CA72
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CA6F mov eax, dword ptr fs:[00000030h]1_2_6CF5CA6F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CA6F mov eax, dword ptr fs:[00000030h]1_2_6CF5CA6F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CA6F mov eax, dword ptr fs:[00000030h]1_2_6CF5CA6F
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCEA60 mov eax, dword ptr fs:[00000030h]1_2_6CFCEA60
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF26A50 mov eax, dword ptr fs:[00000030h]1_2_6CF26A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF50A50 mov eax, dword ptr fs:[00000030h]1_2_6CF50A50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30A5B mov eax, dword ptr fs:[00000030h]1_2_6CF30A5B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30A5B mov eax, dword ptr fs:[00000030h]1_2_6CF30A5B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF44A35 mov eax, dword ptr fs:[00000030h]1_2_6CF44A35
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF44A35 mov eax, dword ptr fs:[00000030h]1_2_6CF44A35
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CA38 mov eax, dword ptr fs:[00000030h]1_2_6CF5CA38
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5CA24 mov eax, dword ptr fs:[00000030h]1_2_6CF5CA24
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EA2E mov eax, dword ptr fs:[00000030h]1_2_6CF4EA2E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACA11 mov eax, dword ptr fs:[00000030h]1_2_6CFACA11
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28BF0 mov eax, dword ptr fs:[00000030h]1_2_6CF28BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28BF0 mov eax, dword ptr fs:[00000030h]1_2_6CF28BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28BF0 mov eax, dword ptr fs:[00000030h]1_2_6CF28BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58BF0 mov ecx, dword ptr fs:[00000030h]1_2_6CF58BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58BF0 mov eax, dword ptr fs:[00000030h]1_2_6CF58BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58BF0 mov eax, dword ptr fs:[00000030h]1_2_6CF58BF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EBFC mov eax, dword ptr fs:[00000030h]1_2_6CF4EBFC
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFACBF0 mov eax, dword ptr fs:[00000030h]1_2_6CFACBF0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCEBD0 mov eax, dword ptr fs:[00000030h]1_2_6CFCEBD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20BCD mov eax, dword ptr fs:[00000030h]1_2_6CF20BCD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20BCD mov eax, dword ptr fs:[00000030h]1_2_6CF20BCD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20BCD mov eax, dword ptr fs:[00000030h]1_2_6CF20BCD
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40BCB mov eax, dword ptr fs:[00000030h]1_2_6CF40BCB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40BCB mov eax, dword ptr fs:[00000030h]1_2_6CF40BCB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF40BCB mov eax, dword ptr fs:[00000030h]1_2_6CF40BCB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30BBE mov eax, dword ptr fs:[00000030h]1_2_6CF30BBE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF30BBE mov eax, dword ptr fs:[00000030h]1_2_6CF30BBE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4BB0 mov eax, dword ptr fs:[00000030h]1_2_6CFD4BB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4BB0 mov eax, dword ptr fs:[00000030h]1_2_6CFD4BB0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1CB7E mov eax, dword ptr fs:[00000030h]1_2_6CF1CB7E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF18B50 mov eax, dword ptr fs:[00000030h]1_2_6CF18B50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2B57 mov eax, dword ptr fs:[00000030h]1_2_6CFF2B57
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2B57 mov eax, dword ptr fs:[00000030h]1_2_6CFF2B57
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2B57 mov eax, dword ptr fs:[00000030h]1_2_6CFF2B57
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF2B57 mov eax, dword ptr fs:[00000030h]1_2_6CFF2B57
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFCEB50 mov eax, dword ptr fs:[00000030h]1_2_6CFCEB50
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4B4B mov eax, dword ptr fs:[00000030h]1_2_6CFD4B4B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4B4B mov eax, dword ptr fs:[00000030h]1_2_6CFD4B4B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6B40 mov eax, dword ptr fs:[00000030h]1_2_6CFB6B40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6B40 mov eax, dword ptr fs:[00000030h]1_2_6CFB6B40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC8B42 mov eax, dword ptr fs:[00000030h]1_2_6CFC8B42
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFEAB40 mov eax, dword ptr fs:[00000030h]1_2_6CFEAB40
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EB20 mov eax, dword ptr fs:[00000030h]1_2_6CF4EB20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4EB20 mov eax, dword ptr fs:[00000030h]1_2_6CF4EB20
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9EB1D mov eax, dword ptr fs:[00000030h]1_2_6CF9EB1D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4B00 mov eax, dword ptr fs:[00000030h]1_2_6CFF4B00
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF204E5 mov ecx, dword ptr fs:[00000030h]1_2_6CF204E5
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF544B0 mov ecx, dword ptr fs:[00000030h]1_2_6CF544B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAA4B0 mov eax, dword ptr fs:[00000030h]1_2_6CFAA4B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF264AB mov eax, dword ptr fs:[00000030h]1_2_6CF264AB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA49A mov eax, dword ptr fs:[00000030h]1_2_6CFDA49A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4A470 mov eax, dword ptr fs:[00000030h]1_2_6CF4A470
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4A470 mov eax, dword ptr fs:[00000030h]1_2_6CF4A470
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4A470 mov eax, dword ptr fs:[00000030h]1_2_6CF4A470
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAC460 mov ecx, dword ptr fs:[00000030h]1_2_6CFAC460
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFDA456 mov eax, dword ptr fs:[00000030h]1_2_6CFDA456
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1645D mov eax, dword ptr fs:[00000030h]1_2_6CF1645D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4245A mov eax, dword ptr fs:[00000030h]1_2_6CF4245A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E443 mov eax, dword ptr fs:[00000030h]1_2_6CF5E443
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A430 mov eax, dword ptr fs:[00000030h]1_2_6CF5A430
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1E420 mov eax, dword ptr fs:[00000030h]1_2_6CF1E420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1E420 mov eax, dword ptr fs:[00000030h]1_2_6CF1E420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1E420 mov eax, dword ptr fs:[00000030h]1_2_6CF1E420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C427 mov eax, dword ptr fs:[00000030h]1_2_6CF1C427
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6420 mov eax, dword ptr fs:[00000030h]1_2_6CFA6420
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58402 mov eax, dword ptr fs:[00000030h]1_2_6CF58402
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58402 mov eax, dword ptr fs:[00000030h]1_2_6CF58402
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58402 mov eax, dword ptr fs:[00000030h]1_2_6CF58402
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF225E0 mov eax, dword ptr fs:[00000030h]1_2_6CF225E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C5ED mov eax, dword ptr fs:[00000030h]1_2_6CF5C5ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C5ED mov eax, dword ptr fs:[00000030h]1_2_6CF5C5ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF265D0 mov eax, dword ptr fs:[00000030h]1_2_6CF265D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A5D0 mov eax, dword ptr fs:[00000030h]1_2_6CF5A5D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A5D0 mov eax, dword ptr fs:[00000030h]1_2_6CF5A5D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E5CF mov eax, dword ptr fs:[00000030h]1_2_6CF5E5CF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E5CF mov eax, dword ptr fs:[00000030h]1_2_6CF5E5CF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF445B1 mov eax, dword ptr fs:[00000030h]1_2_6CF445B1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF445B1 mov eax, dword ptr fs:[00000030h]1_2_6CF445B1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5E59C mov eax, dword ptr fs:[00000030h]1_2_6CF5E59C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22582 mov eax, dword ptr fs:[00000030h]1_2_6CF22582
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22582 mov ecx, dword ptr fs:[00000030h]1_2_6CF22582
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A580 mov ecx, dword ptr fs:[00000030h]1_2_6CF1A580
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A580 mov eax, dword ptr fs:[00000030h]1_2_6CF1A580
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF54588 mov eax, dword ptr fs:[00000030h]1_2_6CF54588
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28550 mov eax, dword ptr fs:[00000030h]1_2_6CF28550
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28550 mov eax, dword ptr fs:[00000030h]1_2_6CF28550
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E53E mov eax, dword ptr fs:[00000030h]1_2_6CF4E53E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E53E mov eax, dword ptr fs:[00000030h]1_2_6CF4E53E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E53E mov eax, dword ptr fs:[00000030h]1_2_6CF4E53E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E53E mov eax, dword ptr fs:[00000030h]1_2_6CF4E53E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4E53E mov eax, dword ptr fs:[00000030h]1_2_6CF4E53E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6500 mov eax, dword ptr fs:[00000030h]1_2_6CFB6500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFF4500 mov eax, dword ptr fs:[00000030h]1_2_6CFF4500
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E6F2 mov eax, dword ptr fs:[00000030h]1_2_6CF9E6F2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E6F2 mov eax, dword ptr fs:[00000030h]1_2_6CF9E6F2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E6F2 mov eax, dword ptr fs:[00000030h]1_2_6CF9E6F2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E6F2 mov eax, dword ptr fs:[00000030h]1_2_6CF9E6F2
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA06F1 mov eax, dword ptr fs:[00000030h]1_2_6CFA06F1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA06F1 mov eax, dword ptr fs:[00000030h]1_2_6CFA06F1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A6C7 mov ebx, dword ptr fs:[00000030h]1_2_6CF5A6C7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A6C7 mov eax, dword ptr fs:[00000030h]1_2_6CF5A6C7
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF566B0 mov eax, dword ptr fs:[00000030h]1_2_6CF566B0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C6A6 mov eax, dword ptr fs:[00000030h]1_2_6CF5C6A6
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF24690 mov eax, dword ptr fs:[00000030h]1_2_6CF24690
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF24690 mov eax, dword ptr fs:[00000030h]1_2_6CF24690
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF52674 mov eax, dword ptr fs:[00000030h]1_2_6CF52674
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A660 mov eax, dword ptr fs:[00000030h]1_2_6CF5A660
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A660 mov eax, dword ptr fs:[00000030h]1_2_6CF5A660
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3C640 mov eax, dword ptr fs:[00000030h]1_2_6CF3C640
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E627 mov eax, dword ptr fs:[00000030h]1_2_6CF3E627
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF56620 mov eax, dword ptr fs:[00000030h]1_2_6CF56620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF58620 mov eax, dword ptr fs:[00000030h]1_2_6CF58620
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2262C mov eax, dword ptr fs:[00000030h]1_2_6CF2262C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62619 mov eax, dword ptr fs:[00000030h]1_2_6CF62619
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9E609 mov eax, dword ptr fs:[00000030h]1_2_6CF9E609
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3260B mov eax, dword ptr fs:[00000030h]1_2_6CF3260B
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C7F0 mov eax, dword ptr fs:[00000030h]1_2_6CF5C7F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF247FB mov eax, dword ptr fs:[00000030h]1_2_6CF247FB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF247FB mov eax, dword ptr fs:[00000030h]1_2_6CF247FB
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF427ED mov eax, dword ptr fs:[00000030h]1_2_6CF427ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF427ED mov eax, dword ptr fs:[00000030h]1_2_6CF427ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF427ED mov eax, dword ptr fs:[00000030h]1_2_6CF427ED
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE7E1 mov eax, dword ptr fs:[00000030h]1_2_6CFAE7E1
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF467C0 mov eax, dword ptr fs:[00000030h]1_2_6CF467C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF467C0 mov eax, dword ptr fs:[00000030h]1_2_6CF467C0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA07C3 mov eax, dword ptr fs:[00000030h]1_2_6CFA07C3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF207AF mov eax, dword ptr fs:[00000030h]1_2_6CF207AF
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD47A0 mov eax, dword ptr fs:[00000030h]1_2_6CFD47A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC678E mov eax, dword ptr fs:[00000030h]1_2_6CFC678E
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF28770 mov eax, dword ptr fs:[00000030h]1_2_6CF28770
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20750 mov eax, dword ptr fs:[00000030h]1_2_6CF20750
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62750 mov eax, dword ptr fs:[00000030h]1_2_6CF62750
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF62750 mov eax, dword ptr fs:[00000030h]1_2_6CF62750
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFAE75D mov eax, dword ptr fs:[00000030h]1_2_6CFAE75D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4755 mov eax, dword ptr fs:[00000030h]1_2_6CFA4755
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A740 mov eax, dword ptr fs:[00000030h]1_2_6CF1A740
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5674D mov esi, dword ptr fs:[00000030h]1_2_6CF5674D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5674D mov eax, dword ptr fs:[00000030h]1_2_6CF5674D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5674D mov eax, dword ptr fs:[00000030h]1_2_6CF5674D
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF9C730 mov eax, dword ptr fs:[00000030h]1_2_6CF9C730
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5273C mov eax, dword ptr fs:[00000030h]1_2_6CF5273C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5273C mov ecx, dword ptr fs:[00000030h]1_2_6CF5273C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5273C mov eax, dword ptr fs:[00000030h]1_2_6CF5273C
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C720 mov eax, dword ptr fs:[00000030h]1_2_6CF5C720
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C720 mov eax, dword ptr fs:[00000030h]1_2_6CF5C720
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20710 mov eax, dword ptr fs:[00000030h]1_2_6CF20710
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF50710 mov eax, dword ptr fs:[00000030h]1_2_6CF50710
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C700 mov eax, dword ptr fs:[00000030h]1_2_6CF5C700
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C0F0 mov eax, dword ptr fs:[00000030h]1_2_6CF1C0F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF620F0 mov ecx, dword ptr fs:[00000030h]1_2_6CF620F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A0E3 mov ecx, dword ptr fs:[00000030h]1_2_6CF1A0E3
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA60E0 mov eax, dword ptr fs:[00000030h]1_2_6CFA60E0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF280E9 mov eax, dword ptr fs:[00000030h]1_2_6CF280E9
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA20DE mov eax, dword ptr fs:[00000030h]1_2_6CFA20DE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE60B8 mov eax, dword ptr fs:[00000030h]1_2_6CFE60B8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFE60B8 mov ecx, dword ptr fs:[00000030h]1_2_6CFE60B8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF180A0 mov eax, dword ptr fs:[00000030h]1_2_6CF180A0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB80A8 mov eax, dword ptr fs:[00000030h]1_2_6CFB80A8
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF2208A mov eax, dword ptr fs:[00000030h]1_2_6CF2208A
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF4C073 mov eax, dword ptr fs:[00000030h]1_2_6CF4C073
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5A060 mov eax, dword ptr fs:[00000030h]1_2_6CF5A060
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF22050 mov eax, dword ptr fs:[00000030h]1_2_6CF22050
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA6050 mov eax, dword ptr fs:[00000030h]1_2_6CFA6050
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6030 mov eax, dword ptr fs:[00000030h]1_2_6CFB6030
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1A020 mov eax, dword ptr fs:[00000030h]1_2_6CF1A020
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1C020 mov eax, dword ptr fs:[00000030h]1_2_6CF1C020
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E016 mov eax, dword ptr fs:[00000030h]1_2_6CF3E016
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E016 mov eax, dword ptr fs:[00000030h]1_2_6CF3E016
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E016 mov eax, dword ptr fs:[00000030h]1_2_6CF3E016
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF3E016 mov eax, dword ptr fs:[00000030h]1_2_6CF3E016
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFA4000 mov ecx, dword ptr fs:[00000030h]1_2_6CFA4000
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFC6F80 RtlGetProcessHeaps,RtlDebugPrintTimes,1_2_6CFC6F80
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF5C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,1_2_6CF5C1F0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF1B120 RtlAddVectoredExceptionHandler,1_2_6CF1B120

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: tjhvihc.2.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 88.221.110.129 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00910110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00910110
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeMemory written: C:\Users\user\Desktop\2019-09-02_22-41-10.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcMemory written: C:\Users\user\AppData\Roaming\tjhvihc base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeProcess created: C:\Users\user\Desktop\2019-09-02_22-41-10.exe "C:\Users\user\Desktop\2019-09-02_22-41-10.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcProcess created: C:\Users\user\AppData\Roaming\tjhvihc C:/Users/user/AppData/Roaming/tjhvihcJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFB6500 RtlAllocateAndInitializeSidEx,RtlAllocateHeap,1_2_6CFB6500
                Source: explorer.exe, 00000002.00000000.1748863440.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1752635070.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1749907997.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000002.00000000.1748863440.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.1982819349.0000000006E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2075525076.0000000006E3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 0000001F.00000002.2350945459.0000000007D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnde
                Source: explorer.exe, 0000000C.00000002.2075525076.0000000006D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndplayr/
                Source: explorer.exe, 00000019.00000002.2228035816.0000000001199000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0Progman
                Source: explorer.exe, 00000002.00000000.1748585403.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.1973634434.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                Source: explorer.exe, 00000002.00000000.1748863440.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 0000000C.00000002.2068019983.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0ProgmanWQ
                Source: explorer.exe, 00000002.00000000.1748863440.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: explorer.exe, 0000001F.00000002.2326063084.00000000012E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman=Q
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\tjhvihcQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF635D0 ZwCreateNamedPipeFile,1_2_6CF635D0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 0_2_00404652 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00404652
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CFD4420 RtlVerifyVersionInfo,memset,RtlGetVersion,1_2_6CFD4420
                Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.tjhvihc.a715a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2019-09-02_22-41-10.exe.9115a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1933390239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2952524704.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.2019-09-02_22-41-10.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.tjhvihc.a715a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2019-09-02_22-41-10.exe.9115a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.tjhvihc.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1933390239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2952524704.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6EC72 __raise_exc,WinSqmStartSqmOptinListener,1_2_6CF6EC72
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF20770 WinSqmStartSqmOptinListener,1_2_6CF20770
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6DEAE WinSqmStartSqmOptinListener,1_2_6CF6DEAE
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF63AD0 ZwListenPort,1_2_6CF63AD0
                Source: C:\Users\user\Desktop\2019-09-02_22-41-10.exeCode function: 1_2_6CF6D492 WinSqmStartSqmOptinListener,WinSqmStartSqmOptinListener,_errno,WinSqmStartSqmOptinListener,_errno,1_2_6CF6D492

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                Windows Service                		1
                Windows Service                		11
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution                		11
                DLL Side-Loading                		413
                Process Injection                		23
                Virtualization/Sandbox Evasion                		LSASS Memory551
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                DLL Side-Loading                		413
                Process Injection                		Security Account Manager23
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture15
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Regsvr32                		DCSync15
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                File Deletion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1597239 Sample: 2019-09-02_22-41-10.exe Startdate: 23/01/2025 Architecture: WINDOWS Score: 100 54 advertserv25.world 2->54 56 www.msftncsi.com.edgesuite.net 2->56 58 7 other IPs or domains 2->58 82 Suricata IDS alerts for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 5 other signatures 2->88 10 2019-09-02_22-41-10.exe 2->10         started        13 regsvr32.exe 1 2->13         started        15 explorer.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 signatures5 108 DLL reload attack detected 10->108 110 Detected unpacking (changes PE section rights) 10->110 112 Contains functionality to inject code into remote processes 10->112 120 2 other signatures 10->120 19 2019-09-02_22-41-10.exe 1 10->19         started        114 Creates processes via WMI 13->114 23 tjhvihc 13->23         started        116 System process connects to network (likely due to code injection or exploit) 15->116 118 Query firmware table information (likely to detect VMs) 15->118 25 WerFault.exe 17->25         started        27 WerFault.exe 17->27         started        29 WerFault.exe 17->29         started        process6 file7 52 C:\Users\user\AppData\Local\Temp\D47F.tmp, PE32 19->52 dropped 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->90 92 Renames NTDLL to bypass HIPS 19->92 94 Maps a DLL or memory area into another process 19->94 96 Checks if the current machine is a virtual machine (disk enumeration) 19->96 31 explorer.exe 6 4 19->31 injected 98 Antivirus detection for dropped file 23->98 100 Multi AV Scanner detection for dropped file 23->100 102 DLL reload attack detected 23->102 104 3 other signatures 23->104 36 tjhvihc 1 23->36         started        signatures8 process9 dnsIp10 62 advertserv25.world 188.40.141.211, 49738, 80 HETZNER-ASDE Germany 31->62 64 a1961.g2.akamai.net 88.221.110.129, 49737, 80 AKAMAI-ASN1EU European Union 31->64 46 C:\Users\user\AppData\Roaming\tjhvihc, PE32 31->46 dropped 48 C:\Users\user\...\tjhvihc:Zone.Identifier, ASCII 31->48 dropped 50 C:\Users\user\AppData\Roaming\jvajahs, XML 31->50 dropped 66 System process connects to network (likely due to code injection or exploit) 31->66 68 Benign windows process drops PE files 31->68 70 Deletes itself after installation 31->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->72 38 WerFault.exe 21 31->38         started        74 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->74 76 Renames NTDLL to bypass HIPS 36->76 78 Maps a DLL or memory area into another process 36->78 80 Checks if the current machine is a virtual machine (disk enumeration) 36->80 40 explorer.exe 2 135 36->40         started        file11 signatures12 process13 dnsIp14 60 a-0003.a-msedge.net 204.79.197.203, 443, 49742, 49745 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->60 106 Query firmware table information (likely to detect VMs) 40->106 44 WerFault.exe 40->44         started        signatures15 process16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.