Edit tour

Windows Analysis Report
FgfPZQyCMj.exe

Overview

General Information

Sample name:	FgfPZQyCMj.exe renamed because original name is a hash value
Original sample name:	1a70f6117a1037361889817c2d0b0394ed7d892f1a158724bbcf83f7da46af68.exe
Analysis ID:	1598922
MD5:	03cae552e720d61dca3d4d390e874ec0
SHA1:	29676e54976c617adbfe42ae642506f42f6fe00a
SHA256:	1a70f6117a1037361889817c2d0b0394ed7d892f1a158724bbcf83f7da46af68
Tags:	exeuser-Bastian455_
Infos:

Detection

Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

DLL reload attack detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ramnit

Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)

Delayed program exit found

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Renames NTDLL to bypass HIPS

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)

Contains functionality to communicate with device drivers

Contains functionality to load drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May infect USB drives

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

FgfPZQyCMj.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\FgfPZQyCMj.exe" MD5: 03CAE552E720D61DCA3D4D390E874EC0)

WerFault.exe (PID: 7664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ramnit	According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.	No Attribution	http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html http://www.secureworks.com/research/threat-profiles/gold-fairfax http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html https://artik.blue/malware4	https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Ramnit	Ramnit Payload	kevoreilly	0x1527:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x7430:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0xf35a:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x76c6:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED 0x5006:$id_string: {%08X-%04X-%04X-%04X-%08X%04X} 0x1356d:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
Process Memory Space: FgfPZQyCMj.exe PID: 7580	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FgfPZQyCMj.exe.40529f.2.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
0.2.FgfPZQyCMj.exe.40529f.2.unpack	Ramnit	Ramnit Payload	kevoreilly	0x1591:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x94bb:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x1827:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED 0xd2ce:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
0.2.FgfPZQyCMj.exe.400000.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
0.2.FgfPZQyCMj.exe.400000.1.raw.unpack	Ramnit	Ramnit Payload	kevoreilly	0x1527:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x7430:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0xf35a:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x76c6:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED 0x5006:$id_string: {%08X-%04X-%04X-%04X-%08X%04X} 0x1356d:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
0.2.FgfPZQyCMj.exe.400000.1.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
0.2.FgfPZQyCMj.exe.400000.1.unpack	Ramnit	Ramnit Payload	kevoreilly	0x1527:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x7430:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0xf35a:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x76c6:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED 0x5006:$id_string: {%08X-%04X-%04X-%04X-%08X%04X} 0x1356d:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack	Ramnit	Ramnit Payload	kevoreilly	0x2191:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0xa0bb:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B 0x2427:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED 0xe2ce:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FgfPZQyCMj.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: FgfPZQyCMj.exe	Virustotal: Detection: 93%			Perma Link
Source: FgfPZQyCMj.exe	ReversingLabs: Detection: 97%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FgfPZQyCMj.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF6E8C2 MD5Update,MD5Update,MD5Final,

0_2_6CF6E8C2

Source: FgfPZQyCMj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: FgfPZQyCMj.exe, 00000000.00000002.2041798965.000000006CEB1000.00000020.00000001.01000000.00000004.sdmp, ~TMF551.tmp.0.dr
Source:	Binary string: wntdll.pdb source: FgfPZQyCMj.exe, FgfPZQyCMj.exe, 00000000.00000002.2041798965.000000006CEB1000.00000020.00000001.01000000.00000004.sdmp, ~TMF551.tmp.0.dr

Source: FgfPZQyCMj.exe	Binary or memory string: autorun.inf
Source: FgfPZQyCMj.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=%s shell\explore\command=%s USEAUTOPLAY=1 shell\Open\command=%s
Source: FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: //--></SCRIPT><!---->RmNautorun.infexecpl[autorun]
Source: FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: //--></SCRIPT><!---->RmNautorun.infexecpl[autorun]

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_004011F8 FindFirstFileA,FindClose,

0_2_004011F8

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

E-Banking Fraud

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE	Matched rule: Ramnit Payload Author: kevoreilly
Source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Ramnit Payload Author: kevoreilly
Source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Ramnit Payload Author: kevoreilly
Source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ramnit Payload Author: kevoreilly
Source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Ramnit Payload Author: kevoreilly

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_00401B4B NtQuerySystemInformation,	0_2_00401B4B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_00401B2F NtQueryInformationProcess,	0_2_00401B2F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12CF0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,	0_2_6CF12CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CF0 ZwOpenProcess,	0_2_6CF22CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CE0 ZwQueryInformationThread,	0_2_6CF22CE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CD0 ZwOpenThreadToken,	0_2_6CF22CD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF38CD0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,	0_2_6CF38CD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCCC8 memset,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,RtlInitUnicodeString,RtlCultureNameToLCID,RtlInitUnicodeString,RtlCultureNameToLCID,	0_2_6CEDCCC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7ACD0 RtlQueryCriticalSectionOwner,ZwReadVirtualMemory,RtlQueryCriticalSectionOwner,	0_2_6CF7ACD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CC0 ZwQueryVirtualMemory,	0_2_6CF22CC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0CC0 EtwRegisterSecurityProvider,ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CFB0CC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6ACC8 ZwClose,ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,	0_2_6CF6ACC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08CB1 RtlInitUnicodeString,ZwQueryLicenseValue,RtlAllocateHeap,ZwQueryLicenseValue,RtlFreeHeap,	0_2_6CF08CB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CB0 ZwRequestWaitReplyPort,	0_2_6CF22CB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22CA0 ZwQueryInformationToken,	0_2_6CF22CA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CCA0 RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,	0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66CA0 RtlCreateQueryDebugBuffer,ZwCreateSection,ZwMapViewOfSection,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwFreeVirtualMemory,ZwUnmapViewOfSection,ZwClose,	0_2_6CF66CA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8C8D RtlFreeHeap,ZwSetEvent,ZwAlertThreadByThreadId,	0_2_6CED8C8D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C90 ZwReleaseMutant,	0_2_6CF22C90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C80 ZwImpersonateClientOfPort,	0_2_6CF22C80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C70 ZwFreeVirtualMemory,	0_2_6CF22C70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEC6B RtlGetSuiteMask,TpSetPoolWorkerThreadIdleTimeout,TpSetPoolMaxThreads,NtLockProductActivationKeys,TpAllocWork,	0_2_6CEDEC6B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C60 ZwCreateKey,	0_2_6CF22C60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6EC65 ZwWow64CsrCaptureMessageString,	0_2_6CF6EC65
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C50 ZwSetInformationProcess,	0_2_6CF22C50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C40 ZwWriteFileGather,	0_2_6CF22C40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24C40 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_6CF24C40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 LdrpResGetMappingSize,RtlImageNtHeaderEx,ZwQueryVirtualMemory,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C30 ZwWaitForMultipleObjects32,	0_2_6CF22C30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24C30 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_6CF24C30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlCultureNameToLCID,RtlAllocateHeap,RtlReAllocateHeap,memcpy,memset,ZwQueryDirectoryFile,ZwClose,RtlFreeHeap,RtlFreeHeap,	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEC20 TpSetPoolWorkerThreadIdleTimeout,ZwSetInformationWorkerFactory,	0_2_6CEDEC20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1AC00 RtlpCheckDynamicTimeZoneInformation,memcmp,ZwClose,	0_2_6CF1AC00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C00 ZwQueryInformationProcess,	0_2_6CF22C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22C0A NtQueryInformationProcess,	0_2_6CF22C0A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DF0 ZwQuerySystemInformation,	0_2_6CF22DF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80DF0 RtlCheckBootStatusIntegrity,ZwReadFile,RtlAllocateHeap,ZwReadFile,RtlFreeHeap,	0_2_6CF80DF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8ADF0 RtlConnectToSm,RtlInitUnicodeString,memset,memcpy,ZwAlpcConnectPort,	0_2_6CF8ADF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00DE1 RtlAcquireSRWLockExclusive,RtlAllocateHeap,memcpy,ZwSetInformationProcess,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CF00DE1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DE0 ZwQueryDirectoryFile,	0_2_6CF22DE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96DE0 RtlIsPartialPlaceholderFileHandle,ZwQueryInformationFile,	0_2_6CF96DE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64DD7 DbgPrint,DbgPrompt,ZwTerminateThread,ZwTerminateProcess,DbgPrint,	0_2_6CF64DD7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DD0 ZwDelayExecution,	0_2_6CF22DD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EDD3 RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_6CF0EDD3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DC0 ZwOpenFile,	0_2_6CF22DC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4DC4 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,	0_2_6CFB4DC4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CDB1 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwQueryInformationProcess,RtlRaiseStatus,RtlFreeHeap,LdrControlFlowGuardEnforced,RtlFreeHeap,	0_2_6CF1CDB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DB0 ZwEnumerateKey,	0_2_6CF22DB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF70DB0 RtlSetImageMitigationPolicy,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,ZwOpenKey,ZwDeleteValueKey,ZwDeleteValueKey,ZwQueryValueKey,memcpy,ZwSetValueKey,RtlSetImageMitigationPolicy,ZwClose,	0_2_6CF70DB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8DA4 RtlInitializeCriticalSectionEx,ZwDelayExecution,	0_2_6CEE8DA4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22DA0 ZwQueryPerformanceCounter,	0_2_6CF22DA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D90 ZwOpenProcessTokenEx,	0_2_6CF22D90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF68D87 RtlAppendUnicodeStringToString,ZwOpenKey,	0_2_6CF68D87
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D80 ZwOpenThreadTokenEx,	0_2_6CF22D80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D70 ZwReadFileScatter,	0_2_6CF22D70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00D77 ZwProtectVirtualMemory,	0_2_6CF00D77
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D60 ZwSetEventBoostPriority,	0_2_6CF22D60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D50 ZwTerminateProcess,	0_2_6CF22D50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D40 ZwReplyWaitReceivePortEx,	0_2_6CF22D40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CD47 ZwCancelWaitCompletionPacket,RtlDebugPrintTimes,	0_2_6CF1CD47
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0D59 memset,RtlRunOnceExecuteOnce,ZwTraceControl,LdrInitializeThunk,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_6CEE0D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D30 ZwUnmapViewOfSection,	0_2_6CF22D30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF88D31 RtlInitUnicodeString,memset,RtlAppendUnicodeStringToString,RtlAppendUnicodeStringToString,ZwOpenKey,ZwQueryValueKey,_allmul,ZwClose,	0_2_6CF88D31
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64D39 RtlReportSilentProcessExit,ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,ZwTerminateProcess,	0_2_6CF64D39
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D20 ZwAccessCheckAndAuditAlarm,	0_2_6CF22D20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6AD20 ZwDuplicateObject,ZwDuplicateObject,	0_2_6CF6AD20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96D21 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,	0_2_6CF96D21
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D10 ZwMapViewOfSection,	0_2_6CF22D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF38D10 RtlRaiseStatus,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,	0_2_6CF38D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22D00 ZwSetInformationFile,	0_2_6CF22D00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0D00 EtwWriteUMSecurityEvent,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CFB0D00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED6D10 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,LdrQueryImageFileKeyOption,	0_2_6CED6D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22EF0 ZwYieldExecution,	0_2_6CF22EF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0EF0 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,	0_2_6CFB0EF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22EE0 ZwQueueApcThread,	0_2_6CF22EE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22ED0 ZwQueryDefaultUILanguage,	0_2_6CF22ED0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22EC0 ZwContinue,	0_2_6CF22EC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22EB0 ZwDuplicateToken,	0_2_6CF22EB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AEB0 RtlpNotOwnerCriticalSection,DbgPrintEx,ZwQueryInformationProcess,RtlRaiseStatus,RtlRaiseStatus,RtlDebugPrintTimes,RtlpNotOwnerCriticalSection,	0_2_6CF7AEB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22EA0 ZwAdjustPrivilegesToken,	0_2_6CF22EA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CEA0 LdrAddDllDirectory,RtlDetermineDosPathNameType_U,ZwQueryAttributesFile,RtlFreeHeap,RtlAllocateHeap,LdrInitializeThunk,LdrInitializeThunk,memcpy,RtlAcquireSRWLockExclusive,@_EH4_CallFilterFunc@8,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,LdrAddDllDirectory,	0_2_6CF6CEA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E90 ZwOpenEvent,	0_2_6CF22E90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF88E90 memcpy,ZwUnmapViewOfSection,ZwMapViewOfSection,memcpy,	0_2_6CF88E90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E80 ZwReadVirtualMemory,	0_2_6CF22E80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDAE90 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,TpReleasePool,	0_2_6CEDAE90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E70 ZwClearEvent,	0_2_6CF22E70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60E7F RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_6CF60E7F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAAE75 ZwFreeVirtualMemory,RtlAcquireSRWLockExclusive,RtlRbRemoveNode,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CFAAE75
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E60 ZwQueryAttributesFile,	0_2_6CF22E60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9EE6D memset,ZwCreateSection,ZwClose,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwUnmapViewOfSection,ZwClose,	0_2_6CF9EE6D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8E6C memset,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,ZwQueryInformationThread,memset,ZwGetContextThread,	0_2_6CFB8E6C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6E71 RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,	0_2_6CEE6E71
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14E50 RtlDecodePointer,RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CF14E50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16E50 RtlAdjustPrivilege,ZwOpenProcessToken,ZwAdjustPrivilegesToken,ZwClose,ZwOpenThreadToken,RtlAdjustPrivilege,	0_2_6CF16E50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E50 ZwDuplicateObject,	0_2_6CF22E50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66E50 RtlDestroyQueryDebugBuffer,ZwClose,ZwUnmapViewOfSection,	0_2_6CF66E50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4E52 ZwAlertThreadByThreadId,	0_2_6CFB4E52
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E40 ZwCloseObjectAuditAlarm,	0_2_6CF22E40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94E4D ZwQueryPerformanceCounter,RtlRandomEx,	0_2_6CF94E4D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9CE4E memset,memset,memset,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,RtlLCIDToCultureName,ZwQueryValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,RtlInitUnicodeString,ZwQueryValueKey,ZwEnumerateValueKey,RtlCompareUnicodeStrings,RtlCompareUnicodeStrings,	0_2_6CF9CE4E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E30 ZwWriteVirtualMemory,	0_2_6CF22E30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA0E3D ZwQuerySystemInformation,	0_2_6CFA0E3D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E20 ZwFsControlFile,	0_2_6CF22E20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24E20 KiUserApcDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwContinue,RtlRaiseStatus,	0_2_6CF24E20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF68E16 ZwOpenProcessTokenEx,ZwQueryInformationToken,ZwClose,RtlConvertSidToUnicodeString,	0_2_6CF68E16
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E10 ZwQueryTimer,	0_2_6CF22E10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CE16 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,	0_2_6CF5CE16
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6EE10 AlpcAdjustCompletionListConcurrencyCount,ZwAlpcSetInformation,	0_2_6CF6EE10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18E1A RtlReleaseActivationContext,LdrUnloadDll,ZwClose,RtlFreeHeap,	0_2_6CF18E1A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8E1D RtlFreeHeap,ZwSetEvent,ZwClose,	0_2_6CED8E1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22E00 ZwOpenSection,	0_2_6CF22E00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14FF1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,	0_2_6CF14FF1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FF0 ZwQueryEvent,	0_2_6CF22FF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20FF6 RtlAllocateHeap,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlFreeHeap,	0_2_6CF20FF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FE0 ZwCreateFile,	0_2_6CF22FE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,	0_2_6CF66FE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4FE7 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CFB4FE7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FD0 ZwReadRequestData,	0_2_6CF22FD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9AFD0 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,	0_2_6CF9AFD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FC0 ZwTerminateThread,	0_2_6CF22FC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEFD8 RtlRunOnceExecuteOnce,LdrInitializeThunk,LdrInitializeThunk,ZwAllocateVirtualMemory,LdrInitializeThunk,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_6CEDEFD8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AFCE ZwQueryInformationProcess,RtlRaiseStatus,RtlCaptureContext,ZwQueryInformationProcess,RtlRaiseException,	0_2_6CF7AFCE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FB0 ZwResumeThread,	0_2_6CF22FB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1AFB8 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,ZwEnumerateValueKey,DbgPrint,ZwDeleteValueKey,RtlDebugPrintTimes,ZwDeleteValueKey,DbgPrint,ZwClose,	0_2_6CF1AFB8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22FA0 ZwQuerySection,	0_2_6CF22FA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F90 ZwProtectVirtualMemory,	0_2_6CF22F90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12F98 memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,	0_2_6CF12F98
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F80 ZwIsProcessInJob,	0_2_6CF22F80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24F80 KiUserExceptionDispatcher,RtlDebugPrintTimes,ZwContinue,ZwRaiseException,RtlRaiseException,	0_2_6CF24F80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0F88 ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CFB0F88
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB6F80 PssNtFreeRemoteSnapshot,ZwReadVirtualMemory,ZwFreeVirtualMemory,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwDuplicateObject,ZwFreeVirtualMemory,	0_2_6CFB6F80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F70 ZwCreateThread,	0_2_6CF22F70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6AF7A ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,	0_2_6CF6AF7A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F60 ZwCreateProcessEx,	0_2_6CF22F60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4F68 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CFB4F68
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8AF60 RtlSendMsgToSm,ZwAlpcSendWaitReceivePort,	0_2_6CF8AF60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F50 ZwApphelpCacheControl,	0_2_6CF22F50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4F5C ZwTerminateProcess,	0_2_6CFB4F5C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80F50 RtlCreateBootStatusDataFile,RtlInitUnicodeString,RtlInitUnicodeString,ZwCreateFile,ZwWriteFile,RtlRestoreBootStatusDefaults,ZwClose,RtlFreeHeap,	0_2_6CF80F50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96F50 RtlIsCurrentThread,ZwCompareObjects,	0_2_6CF96F50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18F40 RtlUnwind,ZwContinue,RtlUnwind,RtlRaiseException,RtlRaiseException,RtlRaiseException,ZwContinue,ZwRaiseException,	0_2_6CF18F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F40 ZwFlushBuffersFile,	0_2_6CF22F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F30 ZwCreateSection,	0_2_6CF22F30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F20 ZwQueryVolumeInformationFile,	0_2_6CF22F20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96F20 RtlIsCurrentProcess,ZwCompareObjects,	0_2_6CF96F20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F10 ZwCreateEvent,	0_2_6CF22F10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24F10 KiUserCallbackDispatcher,RtlDebugPrintTimes,RtlDebugPrintTimes,ZwCallbackReturn,RtlRaiseStatus,	0_2_6CF24F10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22F00 ZwAddAtom,	0_2_6CF22F00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20F04 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,	0_2_6CF20F04
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80F00 RtlCheckSystemBootStatusIntegrity,ZwPowerInformation,	0_2_6CF80F00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94F00 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwQueryPerformanceCounter,ZwQueryPerformanceCounter,	0_2_6CF94F00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248F0 ZwWow64ReadVirtualMemory64,	0_2_6CF248F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDE8E0 RtlQueryWnfStateData,_alloca_probe_16,ZwQueryWnfStateData,RtlDebugPrintTimes,	0_2_6CEDE8E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248E0 ZwWow64AllocateVirtualMemory64,	0_2_6CF248E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 RtlDetermineDosPathNameType_U,RtlDetermineDosPathNameType_U,ZwTerminateProcess,ZwWaitForAlertByThreadId,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlCreateUnicodeString,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF168EF ZwUnmapViewOfSection,	0_2_6CF168EF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248D0 ZwWow64QueryInformationProcess64,	0_2_6CF248D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248C0 ZwWow64GetNativeSystemInformation,	0_2_6CF248C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248B0 ZwWow64GetCurrentProcessorNumberEx,	0_2_6CF248B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C8B7 ZwTraceControl,	0_2_6CF1C8B7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF248A0 ZwWow64DebuggerCall,	0_2_6CF248A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24890 ZwWow64CsrVerifyRegion,	0_2_6CF24890
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0887 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,ZwSubscribeWnfStateChange,RtlGetCurrentServiceSessionId,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CEE0887
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C89D RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CF6C89D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24880 ZwWow64CsrGetProcessId,	0_2_6CF24880
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4887 ZwSetInformationWorkerFactory,	0_2_6CFB4887
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24870 ZwWow64CsrCaptureMessageString,	0_2_6CF24870
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24860 ZwWow64CsrCaptureMessageBuffer,	0_2_6CF24860
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24850 ZwWow64CsrAllocateMessagePointer,	0_2_6CF24850
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA685D ZwGetCurrentProcessorNumber,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CFA685D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7A85E RtlInitializeSid,ZwQueryInformationToken,RtlSidDominates,RtlSidDominates,ZwPrivilegeCheck,	0_2_6CF7A85E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24840 ZwWow64CsrFreeCaptureBuffer,	0_2_6CF24840
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA0840 ZwCreateSection,ZwMapViewOfSection,memset,memcpy,ZwUnmapViewOfSection,ZwClose,	0_2_6CFA0840
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24830 ZwWow64CsrAllocateCaptureBuffer,	0_2_6CF24830
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEE820 RtlLeaveCriticalSection,RtlpNotOwnerCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,RtlRaiseStatus,LdrRscIsTypeExist,	0_2_6CEEE820
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16820 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,	0_2_6CF16820
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24820 ZwWow64CsrClientCallServer,	0_2_6CF24820
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24810 ZwWow64CsrIdentifyAlertableThread,	0_2_6CF24810
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C810 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CF6C810
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24800 ZwWow64CsrClientConnectToServer,	0_2_6CF24800
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20800 ZwAllocateVirtualMemory,memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,	0_2_6CF20800
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A800 RtlEncodeRemotePointer,ZwQueryInformationProcess,	0_2_6CF6A800
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF129F9 DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap,	0_2_6CF129F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA29F3 ZwAllocateVirtualMemoryEx,	0_2_6CFA29F3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE49FF ZwSetInformationWorkerFactory,	0_2_6CEE49FF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A9E0 RtlReportExceptionEx,RtlReportException,ZwDuplicateObject,ZwDuplicateObject,memset,ZwTerminateProcess,	0_2_6CF6A9E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E9E0 RtlComputeImportTableHash,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,RtlAddressInSectionTable,RtlAllocateHeap,ZwUnmapViewOfSection,RtlFlushSecureMemoryCache,ZwUnmapViewOfSection,	0_2_6CF6E9E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF769C0 RtlGetSessionProperties,RtlGetCurrentServiceSessionId,ZwQueryInformationJobObject,	0_2_6CF769C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF229B3 ZwWaitForAlertByThreadId,	0_2_6CF229B3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF889B4 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CF889B4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF649B8 ZwQueryInformationProcess,ZwMapViewOfSection,ZwClose,	0_2_6CF649B8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A9A0 RtlReleaseResource,ZwReleaseSemaphore,RtlRaiseStatus,ZwQueryValueKey,ZwReleaseSemaphore,RtlRaiseStatus,ZwClose,	0_2_6CF1A9A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAA987 ZwQueryVirtualMemory,ZwProtectVirtualMemory,	0_2_6CFAA987
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96970 RtlInitializeContext,ZwWriteVirtualMemory,	0_2_6CF96970
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C97C RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CF6C97C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06962 LdrInitializeThunk,ZwQueryInformationToken,RtlFindAceByType,RtlFindAceByType,RtlFindAceByType,RtlAllocateHeap,memcpy,memcpy,memcpy,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlCreateSecurityDescriptor,RtlFreeHeap,RtlCreateAcl,RtlAddMandatoryAce,RtlFreeHeap,memcpy,RtlFreeHeap,RtlSidDominates,RtlFreeHeap,RtlFreeHeap,RtlFindAceByType,ZwDuplicateToken,ZwAccessCheck,ZwClose,ZwPrivilegeCheck,ZwPrivilegeCheck,RtlFreeHeap,memset,memset,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CF06962
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2096E memset,memset,ZwQuerySystemInformation,ZwQueryInformationThread,ZwQueryInformationThread,ZwQuerySystemInformation,RtlAllocateHeap,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memcpy,memcpy,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memset,ZwWriteFile,RtlFreeHeap,ZwClose,ZwReadFile,ZwWriteFile,RtlQueryPerformanceCounter,RtlQueryPerformanceCounter,memcpy,ZwQueryVolumeInformationFile,ZwSetInformationFile,	0_2_6CF2096E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0096D ZwWow64IsProcessorFeaturePresent,	0_2_6CF0096D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB6940 PssNtCaptureSnapshot,ZwAllocateVirtualMemory,memset,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,ZwCreateProcessEx,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PssNtFreeSnapshot,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_allmul,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_6CFB6940
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24930 DbgPrintEx,ZwTerminateProcess,	0_2_6CF24930
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFE920 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,	0_2_6CEFE920
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24920 ZwWow64IsProcessorFeaturePresent,	0_2_6CF24920
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8927 ZwDuplicateObject,ZwQueryObject,ZwClose,memset,_wcsicmp,ZwQueryObject,ZwQueryObject,_wcsicmp,ZwClose,RtlDebugPrintTimes,RtlDebugPrintTimes,	0_2_6CFB8927
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24910 ZwWow64CallFunction64,	0_2_6CF24910
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C912 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CF6C912
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24900 ZwWow64WriteVirtualMemory64,	0_2_6CF24900
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64908 RtlAllocateHeap,ZwQueryVirtualMemory,RtlFreeHeap,	0_2_6CF64908
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AF0 ZwWriteFile,	0_2_6CF22AF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8EAF0 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,	0_2_6CF8EAF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AE0 ZwDeviceIoControlFile,	0_2_6CF22AE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AAE0 RtlConvertExclusiveToShared,ZwReleaseSemaphore,RtlRaiseStatus,	0_2_6CF7AAE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AD0 ZwReadFile,	0_2_6CF22AD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8ACF ZwSetInformationThread,	0_2_6CED8ACF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AC0 ZwCallbackReturn,	0_2_6CF22AC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9AACD ZwFreeVirtualMemory,	0_2_6CF9AACD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF36ACC memset,ZwQueryWnfStateData,RtlFreeHeap,RtlAllocateHeap,ZwQueryWnfStateData,ZwQueryWnfStateData,RtlFreeHeap,	0_2_6CF36ACC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AB0 ZwWaitForSingleObject,	0_2_6CF22AB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22AA0 ZwMapUserPhysicalPagesScatter,	0_2_6CF22AA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA2AAC ZwQuerySystemInformation,	0_2_6CFA2AAC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF72AA9 ZwEnumerateValueKey,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,RtlCompareUnicodeString,RtlCompareUnicodeString,ZwEnumerateKey,ZwOpenKey,ZwClose,	0_2_6CF72AA9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9AA98 ZwAllocateVirtualMemory,	0_2_6CF9AA98
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22A90 ZwAcceptConnectPort,	0_2_6CF22A90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22A80 ZwWorkerFactoryWorkerReady,	0_2_6CF22A80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22A70 ZwAccessCheck,	0_2_6CF22A70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CA72 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,	0_2_6CF5CA72
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2A70 EtwSendNotification,ZwTraceControl,RtlNtStatusToDosError,ZwClose,	0_2_6CFB2A70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94A63 ZwQuerySystemInformation,RtlAllocateHeap,RtlFreeHeap,RtlAllocateHeap,	0_2_6CF94A63
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0A50 EtwEventWriteString,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CFB0A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1AA45 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CF1AA45
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 RtlAcquireSRWLockExclusive,RtlDebugPrintTimes,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96A30 RtlRemoteCall,LdrControlFlowGuardEnforced,ZwSuspendThread,ZwGetContextThread,ZwResumeThread,ZwWriteVirtualMemory,ZwResumeThread,memcpy,memcpy,ZwWriteVirtualMemory,ZwSetContextThread,ZwResumeThread,	0_2_6CF96A30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2A30 EtwReplyNotification,ZwTraceControl,RtlNtStatusToDosError,	0_2_6CFB2A30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEA0C ZwCreateEvent,TpAllocWait,ZwSetWnfProcessNotificationEvent,TpSetWaitEx,TpReleaseWait,ZwClose,	0_2_6CEDEA0C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CA11 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CF6CA11
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF72A03 ZwDeleteKey,ZwClose,	0_2_6CF72A03
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60A0E RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException,	0_2_6CF60A0E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BF0 ZwAllocateVirtualMemory,	0_2_6CF22BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96BFC ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,	0_2_6CF96BFC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CBF0 RtlAcquireSRWLockShared,RtlReleaseSRWLockShared,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_6CF6CBF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EBFC RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,	0_2_6CF0EBFC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BE0 ZwQueryValueKey,	0_2_6CF22BE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BD0 ZwQueryKey,	0_2_6CF22BD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0BCD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_6CEE0BCD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6EBD0 CsrCaptureMessageMultiUnicodeStringsInPlace,ZwWow64CsrAllocateCaptureBuffer,	0_2_6CF6EBD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BC0 ZwQueryDefaultLocale,	0_2_6CF22BC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BB0 ZwFindAtom,	0_2_6CF22BB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CBB0 ZwSetEvent,	0_2_6CF6CBB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEBA6 ZwOpenFile,memcmp,ZwQueryInformationThread,TpWaitForWork,TpReleaseWork,	0_2_6CEDEBA6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22BA0 ZwEnumerateValueKey,	0_2_6CF22BA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B90 ZwOpenKey,	0_2_6CF22B90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8B98 ZwGetNextThread,ZwAllocateVirtualMemory,ZwGetNextThread,RtlGetExtendedContextLength,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwUnmapViewOfSection,ZwUnmapViewOfSection,	0_2_6CFB8B98
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B80 ZwQueryInformationFile,	0_2_6CF22B80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAEB89 LdrInitializeThunk,ZwFreeVirtualMemory,	0_2_6CFAEB89
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B70 ZwQueryObject,	0_2_6CF22B70
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B60 ZwClose,	0_2_6CF22B60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9CB64 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,	0_2_6CF9CB64
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B50 ZwSetEvent,	0_2_6CF22B50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CB5D RtlGetPersistedStateLocation,ZwOpenKeyEx,	0_2_6CF5CB5D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8EB50 RtlRegisterSecureMemoryCacheCallback,ZwQuerySystemInformation,RtlAllocateHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CF8EB50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2B57 RtlAllocateHeap,RtlAllocateHeap,ZwTraceControl,RtlNtStatusToDosError,ZwTraceControl,RtlFreeHeap,RtlFreeHeap,	0_2_6CFB2B57
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B40 ZwSetInformationThread,	0_2_6CF22B40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76B40 RtlIsUntrustedObject,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFindAceByType,RtlFreeHeap,	0_2_6CF76B40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AB40 RtlConvertSharedToExclusive,ZwReleaseSemaphore,RtlRaiseStatus,ZwReleaseSemaphore,RtlRaiseStatus,RtlAcquireResourceExclusive,	0_2_6CF7AB40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8B50 RtlDeleteTimerQueueEx,RtlAcquireSRWLockExclusive,TpTimerOutstandingCallbackCount,TpReleaseTimer,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,ZwWaitForAlertByThreadId,	0_2_6CED8B50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B30 ZwReplyPort,	0_2_6CF22B30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EB20 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,	0_2_6CF0EB20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B20 ZwReplyWaitReceivePort,	0_2_6CF22B20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDAB30 RtlCreateMemoryZone,ZwAllocateVirtualMemory,	0_2_6CEDAB30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B10 ZwReleaseSemaphore,	0_2_6CF22B10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22B00 ZwRemoveIoCompletion,	0_2_6CF22B00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFACB09 ZwQueryVirtualMemory,	0_2_6CFACB09
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244F0 ZwSetQuotaInformationFile,	0_2_6CF244F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8E4FD ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,ZwOpenFile,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,ZwSetSecurityObject,ZwClose,ZwClose,	0_2_6CF8E4FD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE04E5 SbSelectProcedure,RtlDebugPrintTimes,RtlGetSuiteMask,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,	0_2_6CEE04E5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244E0 ZwSetLowWaitHighEventPair,	0_2_6CF244E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244D0 ZwSetLowEventPair,	0_2_6CF244D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244C0 ZwSetLdtEntries,	0_2_6CF244C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244B0 ZwSetIoCompletionEx,	0_2_6CF244B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE64AB memcmp,ZwSetInformationThread,RtlDeactivateActivationContextUnsafeFast,RtlSetThreadSubProcessTag,memset,RtlRaiseException,ZwSetInformationThread,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,	0_2_6CEE64AB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF244A0 ZwSetIoCompletion,	0_2_6CF244A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24490 ZwSetIntervalProfile,	0_2_6CF24490
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A49A RtlAllocateHeap,ZwCreateEvent,TpAllocWork,	0_2_6CF9A49A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24480 ZwSetInformationWorkerFactory,	0_2_6CF24480
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4480 TpSetPoolThreadCpuSets,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,RtlNumberOfSetBits,	0_2_6CFB4480
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0A470 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,RtlFreeHeap,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlReAllocateHeap,	0_2_6CF0A470
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24470 ZwSetInformationVirtualMemory,	0_2_6CF24470
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24460 ZwSetInformationTransactionManager,	0_2_6CF24460
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C460 RtlTestAndPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,	0_2_6CF6C460
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24450 ZwSetInformationTransaction,	0_2_6CF24450
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA457 ZwDeviceIoControlFile,	0_2_6CFBA457
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A456 RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,TpReleaseWork,RtlFreeHeap,	0_2_6CF9A456
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 ZwDelayExecution,ZwFreeVirtualMemory,ZwClose,ZwClose,RtlDeleteCriticalSection,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24440 ZwSetInformationToken,	0_2_6CF24440
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24430 ZwSetInformationSymbolicLink,	0_2_6CF24430
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC427 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap,	0_2_6CEDC427
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDE420 ZwTraceControl,EtwDeliverDataBlock,TpSetWaitEx,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CEDE420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24420 ZwSetInformationResourceManager,	0_2_6CF24420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 RtlDefaultNpAcl,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,RtlGetAppContainerSidType,RtlGetAppContainerParent,RtlAllocateHeap,RtlCreateAcl,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlInitializeSid,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24410 ZwSetInformationKey,	0_2_6CF24410
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA414 ZwClose,	0_2_6CFBA414
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24400 ZwSetInformationJobObject,	0_2_6CF24400
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18402 RtlImageNtHeaderEx,ZwOpenKey,ZwOpenKey,ZwOpenKey,ZwQueryValueKey,ZwClose,RtlFormatCurrentUserKeyPath,RtlAllocateHeap,RtlAppendUnicodeStringToString,RtlAppendUnicodeToString,ZwOpenKey,RtlFreeHeap,RtlFreeUnicodeString,ZwQueryValueKey,ZwClose,ZwQueryKey,ZwClose,LdrLoadDll,ZwQueryValueKey,ZwQueryValueKey,ZwClose,LdrGetProcedureAddressForCaller,LdrUnloadDll,	0_2_6CF18402
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2410 RtlRandomEx,ZwQueryInformationProcess,	0_2_6CEE2410
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF2410 RtlAcquireSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,	0_2_6CEF2410
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245F0 ZwSignalAndWaitForSingleObject,	0_2_6CF245F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB85F0 ZwQueryInformationProcess,	0_2_6CFB85F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE25E0 ZwClose,RtlFreeHeap,	0_2_6CEE25E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245E0 ZwShutdownWorkerFactory,	0_2_6CF245E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF725E4 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,	0_2_6CF725E4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A5D0 RtlCreateTagHeap,ZwQuerySystemInformation,	0_2_6CF1A5D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245D0 ZwShutdownSystem,	0_2_6CF245D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245C0 ZwSetWnfProcessNotificationEvent,	0_2_6CF245C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A5C0 ZwWaitForSingleObject,	0_2_6CF9A5C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE65D0 ZwReleaseWorkerFactoryWorker,memmove,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,_allshl,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CEE65D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF205B0 EtwpCreateEtwThread,ZwResumeThread,EtwpCreateEtwThread,ZwTerminateThread,ZwClose,	0_2_6CF205B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245B0 ZwSetVolumeInformationFile,	0_2_6CF245B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF245A0 ZwSetUuidSeed,	0_2_6CF245A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E5A2 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,	0_2_6CF6E5A2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED65B5 RtlInitUnicodeString,RtlDebugPrintTimes,RtlDebugPrintTimes,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlReleasePath,ZwTerminateProcess,	0_2_6CED65B5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A5A0 ZwSetEvent,	0_2_6CF9A5A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24590 ZwSetTimerResolution,	0_2_6CF24590
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8590 ZwQueryMutant,ZwQueryMutant,	0_2_6CFB8590
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24580 ZwSetTimerEx,	0_2_6CF24580
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A570 RtlWakeAllConditionVariable,ZwAlertThreadByThreadId,RtlWakeAllConditionVariable,	0_2_6CF1A570
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C570 RtlSetUserCallbackExceptionFilter,RtlSetUserCallbackExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CF1C570
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24570 ZwSetTimer2,	0_2_6CF24570
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24560 ZwSetThreadExecutionState,	0_2_6CF24560
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8560 ZwQueryEvent,	0_2_6CFB8560
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24550 ZwSetSystemTime,	0_2_6CF24550
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24540 ZwSetSystemPowerState,	0_2_6CF24540
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C540 RtlWaitForWnfMetaNotification,ZwQueryWnfStateNameInformation,ZwQueryWnfStateNameInformation,ZwCreateEvent,RtlRegisterForWnfMetaNotification,_allmul,ZwWaitForSingleObject,RtlUnsubscribeWnfNotificationWaitForCompletion,ZwClose,	0_2_6CF6C540
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24530 ZwSetSystemInformation,	0_2_6CF24530
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24520 ZwSetSystemEnvironmentValueEx,	0_2_6CF24520
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24510 ZwSetSystemEnvironmentValue,	0_2_6CF24510
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24500 ZwSetSecurityObject,	0_2_6CF24500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 TpTrimPools,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlSleepConditionVariableSRW,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlAllocateHeap,ZwClose,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForMultipleObjects,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246F0 ZwUnloadDriver,	0_2_6CF246F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E6F2 ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,	0_2_6CF5E6F2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246E0 ZwUmsThreadYield,	0_2_6CF246E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A6E0 RtlWow64IsWowGuestMachineSupported,ZwQuerySystemInformationEx,_alloca_probe_16,ZwQuerySystemInformationEx,	0_2_6CF6A6E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246D0 ZwTranslateFilePath,	0_2_6CF246D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246C0 ZwTraceControl,	0_2_6CF246C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A6C7 RtlAllocateHeap,memcpy,ZwFreeVirtualMemory,	0_2_6CF1A6C7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246B0 ZwThawTransactions,	0_2_6CF246B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF246A0 ZwThawRegistry,	0_2_6CF246A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24690 ZwTestAlert,	0_2_6CF24690
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A690 RtlWow64GetSharedInfoProcess,ZwQueryInformationProcess,ZwReadVirtualMemory,	0_2_6CF6A690
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF72699 memset,memset,ZwCreateUserProcess,	0_2_6CF72699
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24680 ZwTerminateJobObject,	0_2_6CF24680
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8680 ZwQueryInformationThread,ZwQueryInformationThread,	0_2_6CFB8680
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24670 ZwTerminateEnclave,	0_2_6CF24670
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24660 ZwSystemDebugControl,	0_2_6CF24660
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24650 ZwSuspendThread,	0_2_6CF24650
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF86650 RtlpVerifyAndCommitUILanguageSettings,memset,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,LdrInitializeThunk,ZwGetMUIRegistryInfo,ZwShutdownSystem,	0_2_6CF86650
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A650 ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CF9A650
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8650 ZwQuerySemaphore,	0_2_6CFB8650
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24640 ZwSuspendProcess,	0_2_6CF24640
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96640 RtlSleepConditionVariableCS,RtlLeaveCriticalSection,ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,RtlEnterCriticalSection,	0_2_6CF96640
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24630 ZwSubscribeWnfStateChange,	0_2_6CF24630
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20634 ZwCreateThreadEx,ZwClose,	0_2_6CF20634
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC62A RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose,	0_2_6CEDC62A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18620 ZwQueryInformationThread,ZwQueryInformationThread,RtlAcquireSRWLockShared,RtlApplicationVerifierStop,	0_2_6CF18620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24620 ZwStopProfile,	0_2_6CF24620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9C620 RtlpRefreshCachedUILanguage,ZwQueryInstallUILanguage,RtlInitUnicodeString,RtlCultureNameToLCID,ZwFlushInstallUILanguage,RtlpCreateProcessRegistryInfo,ZwFlushInstallUILanguage,ZwFlushInstallUILanguage,LdrInitializeThunk,ZwGetMUIRegistryInfo,	0_2_6CF9C620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8620 ZwQuerySection,	0_2_6CFB8620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24610 ZwStartProfile,	0_2_6CF24610
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24600 ZwSinglePhaseReject,	0_2_6CF24600
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247F0 ZwLoadKey3,	0_2_6CF247F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247E0 ZwWaitLowEventPair,	0_2_6CF247E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247D0 ZwWaitHighEventPair,	0_2_6CF247D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247C0 ZwWaitForWorkViaWorkerFactory,	0_2_6CF247C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF607C3 ZwQueryInformationProcess,RtlRaiseStatus,RtlDebugPrintTimes,RtlUnhandledExceptionFilter2,EtwEventRegister,EtwEventWrite,EtwNotificationUnregister,ZwRaiseException,	0_2_6CF607C3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF667C0 RtlNewSecurityGrantedAccess,LdrInitializeThunk,ZwQueryInformationToken,RtlMapGenericMask,ZwPrivilegeCheck,	0_2_6CF667C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247B0 ZwWaitForKeyedEvent,	0_2_6CF247B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A7B0 RtlDecodeRemotePointer,ZwQueryInformationProcess,	0_2_6CF6A7B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF247A0 ZwWaitForDebugEvent,	0_2_6CF247A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED67BF memset,ZwTerminateProcess,	0_2_6CED67BF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF947A0 RtlHeapTrkInitialize,ZwMapViewOfSection,ZwQueryPerformanceCounter,RtlCreateHeap,RtlSetHeapInformation,RtlAllocateHeap,RtlAllocateHeap,ZwUnmapViewOfSection,RtlDestroyHeap,ZwUnmapViewOfSection,ZwClose,	0_2_6CF947A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24790 ZwWaitForAlertByThreadId,	0_2_6CF24790
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24780 ZwVdmControl,	0_2_6CF24780
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF88785 ZwAllocateVirtualMemory,ZwDuplicateObject,ZwWriteVirtualMemory,ZwTerminateThread,ZwClose,ZwFreeVirtualMemory,ZwResumeThread,ZwWaitForSingleObject,ZwClose,ZwReadVirtualMemory,	0_2_6CF88785
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24770 ZwUpdateWnfStateData,	0_2_6CF24770
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA760 EtwSetMark,ZwTraceEvent,RtlNtStatusToDosError,	0_2_6CEDA760
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24760 ZwUnsubscribeWnfStateChange,	0_2_6CF24760
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24750 ZwUnmapViewOfSectionEx,	0_2_6CF24750
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA740 ZwClose,RtlFreeHeap,	0_2_6CEDA740
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24740 ZwUnlockVirtualMemory,	0_2_6CF24740
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24730 ZwUnlockFile,	0_2_6CF24730
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5C730 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess,	0_2_6CF5C730
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20735 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,	0_2_6CF20735
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24720 ZwUnloadKeyEx,	0_2_6CF24720
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF10710 RtlAllocateHandle,RtlReAllocateHeap,RtlAllocateHandle,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,	0_2_6CF10710
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24710 ZwUnloadKey2,	0_2_6CF24710
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24700 ZwUnloadKey,	0_2_6CF24700
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66700 RtlNewInstanceSecurityObject,LdrInitializeThunk,ZwQueryInformationToken,	0_2_6CF66700
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF220F0 RtlPublishWnfStateData,ZwUpdateWnfStateData,RtlGetCurrentServiceSessionId,RtlPublishWnfStateData,	0_2_6CF220F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240F0 ZwRaiseException,	0_2_6CF240F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240E0 ZwQueueApcThreadEx,	0_2_6CF240E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E0E0 LdrCreateEnclave,ZwCreateEnclave,LdrCreateEnclave,	0_2_6CF5E0E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240D0 ZwQueryWnfStateNameInformation,	0_2_6CF240D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF620DE ZwRaiseHardError,	0_2_6CF620DE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA0D1 ZwDeviceIoControlFile,	0_2_6CFBA0D1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF740DA ZwQueryVirtualMemory,	0_2_6CF740DA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E0DF ZwDelayExecution,	0_2_6CF1E0DF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC0C2 ZwAlertThreadByThreadId,	0_2_6CEDC0C2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240C0 ZwQueryWnfStateData,	0_2_6CF240C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE20DA ZwOpenThreadToken,ZwSetInformationThread,ZwClose,	0_2_6CEE20DA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C0C0 RtlInitUnicodeString,ZwQueryValueKey,	0_2_6CF6C0C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF640C9 ZwTerminateProcess,RtlLeaveCriticalSection,	0_2_6CF640C9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA60B8 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_6CFA60B8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240B0 ZwQueryTimerResolution,	0_2_6CF240B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF740A7 ZwSetInformationFile,	0_2_6CF740A7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF240A0 ZwQuerySystemInformationEx,	0_2_6CF240A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E0A0 DbgUiWaitStateChange,ZwWaitForDebugEvent,	0_2_6CF5E0A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24090 ZwQuerySystemEnvironmentValueEx,	0_2_6CF24090
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C080 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,	0_2_6CF1C080
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24080 ZwQuerySystemEnvironmentValue,	0_2_6CF24080
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF68080 ZwReadVirtualMemory,	0_2_6CF68080
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1608F ZwOpenKey,ZwCreateKey,	0_2_6CF1608F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A073 RtlInitUnicodeString,RtlInitAnsiString,RtlAnsiStringToUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,ZwRaiseHardError,RtlRaiseStatus,EtwTraceMessageVa,RtlNtStatusToDosError,	0_2_6CF1A073
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24070 ZwQuerySymbolicLinkObject,	0_2_6CF24070
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E070 DbgUiStopDebugging,ZwRemoveProcessDebug,	0_2_6CF5E070
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06060 RtlCheckTokenMembershipEx,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,RtlSetGroupSecurityDescriptor,RtlCreateAcl,RtlInitializeSidEx,RtlSetDaclSecurityDescriptor,ZwAccessCheck,RtlInitializeSidEx,ZwOpenThreadTokenEx,LdrInitializeThunk,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwClose,ZwClose,RtlCheckTokenMembershipEx,	0_2_6CF06060
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24060 ZwQuerySemaphore,	0_2_6CF24060
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A060 RtlOsDeploymentState,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,	0_2_6CF9A060
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24050 ZwQuerySecurityPolicy,	0_2_6CF24050
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24040 ZwQuerySecurityObject,	0_2_6CF24040
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16045 ZwClose,	0_2_6CF16045
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64043 ZwOpenFile,ZwQueryVirtualMemory,ZwOpenFile,	0_2_6CF64043
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24030 ZwQuerySecurityAttributesToken,	0_2_6CF24030
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C03E RtlInitUnicodeString,ZwOpenKey,ZwClose,	0_2_6CF6C03E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24020 ZwQueryQuotaInformationFile,	0_2_6CF24020
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24010 ZwQueryPortInformationProcess,	0_2_6CF24010
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24000 ZwQueryOpenSubKeysEx,	0_2_6CF24000
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4003 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwSetInformationJobObject,ZwQueryInformationJobObject,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,	0_2_6CFB4003
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_6CF1C1F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241F0 ZwReplyWaitReplyPort,	0_2_6CF241F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB81F0 ZwQueryVirtualMemory,ZwPssCaptureVaSpaceBulk,ZwQueryVirtualMemory,	0_2_6CFB81F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241E0 ZwReplacePartitionUnit,	0_2_6CF241E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF641E2 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,	0_2_6CF641E2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB61E5 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CFB61E5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241D0 ZwReplaceKey,	0_2_6CF241D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF801D0 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,	0_2_6CF801D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF941CB ZwQueryVirtualMemory,bsearch_s,	0_2_6CF941CB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241C0 ZwRenameTransactionManager,	0_2_6CF241C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA61C3 RtlAllocateHeap,ZwQueryWnfStateData,ZwUpdateWnfStateData,RtlFreeHeap,	0_2_6CFA61C3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A1C0 RtlQueryValidationRunlevel,ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CF9A1C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB41C0 TpQueryPoolStackInformation,ZwQueryInformationWorkerFactory,	0_2_6CFB41C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241B0 ZwRenameKey,	0_2_6CF241B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA1B6 ZwCreateFile,	0_2_6CFBA1B6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF241A0 ZwRemoveProcessDebug,	0_2_6CF241A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF141A2 ZwAlertThreadByThreadId,	0_2_6CF141A2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24190 ZwRemoveIoCompletionEx,	0_2_6CF24190
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E190 RtlFreeUserStack,ZwFreeVirtualMemory,	0_2_6CF5E190
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6019F RtlGetCurrentServiceSessionId,RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_6CF6019F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE819E ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationObject,ZwSetInformationThread,ZwAdjustPrivilegesToken,ZwSetInformationThread,	0_2_6CEE819E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE419F ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,	0_2_6CEE419F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24180 ZwReleaseWorkerFactoryWorker,	0_2_6CF24180
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20185 ZwQuerySystemInformation,EtwpCreateEtwThread,RtlNtStatusToDosError,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,	0_2_6CF20185
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA197 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,	0_2_6CEDA197
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB6187 ZwSetInformationThread,memset,RtlRaiseException,	0_2_6CFB6187
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24170 ZwReleaseKeyedEvent,	0_2_6CF24170
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6417C ZwRaiseHardError,	0_2_6CF6417C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24160 ZwRegisterThreadTerminatePort,	0_2_6CF24160
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22160 RtlCreateUserStack,RtlImageNtHeader,ZwSetInformationProcess,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlFreeUserStack,RtlCreateUserStack,RtlCreateUserStack,RtlCreateUserStack,	0_2_6CF22160
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA160 RtlGetNtSystemRoot,ZwClose,	0_2_6CFBA160
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24150 ZwRegisterProtocolAddressInformation,	0_2_6CF24150
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0215F ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor,	0_2_6CF0215F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24140 ZwRecoverTransactionManager,	0_2_6CF24140
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF74144 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDetermineDosPathNameType_U,RtlDosPathNameToNtPathName_U,ZwQueryAttributesFile,RtlFreeHeap,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_6CF74144
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A140 RtlQueryTokenHostIdAsUlong64,ZwQuerySecurityAttributesToken,	0_2_6CF9A140
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB8142 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,ZwQueryVirtualMemory,	0_2_6CFB8142
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6154 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlAllocateHeap,ZwDuplicateObject,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlWakeConditionVariable,	0_2_6CEE6154
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C137 ZwQueryVirtualMemory,ZwQuerySystemInformation,ZwAllocateVirtualMemory,ZwProtectVirtualMemory,	0_2_6CF6C137
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24130 ZwRecoverResourceManager,	0_2_6CF24130
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6013A ZwOpenKeyEx,ZwClose,	0_2_6CF6013A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24120 ZwRecoverEnlistment,	0_2_6CF24120
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24110 ZwReadOnlyEnlistment,	0_2_6CF24110
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A11F ZwClose,	0_2_6CF9A11F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2102 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,	0_2_6CEE2102
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24100 ZwRaiseHardError,	0_2_6CF24100
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF74104 ZwQueryInformationFile,	0_2_6CF74104
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8E10E ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlFreeHeap,RtlGetDaclSecurityDescriptor,RtlGetOwnerSecurityDescriptor,RtlEqualSid,RtlGetAce,RtlEqualSid,ZwSetSecurityObject,RtlSelfRelativeToAbsoluteSD2,RtlAllocateHeap,memcpy,RtlFreeHeap,RtlSelfRelativeToAbsoluteSD2,RtlFreeHeap,RtlSetOwnerSecurityDescriptor,RtlSetDaclSecurityDescriptor,RtlMakeSelfRelativeSD,RtlAllocateHeap,RtlMakeSelfRelativeSD,RtlFreeHeap,ZwSetSecurityObject,RtlFreeHeap,	0_2_6CF8E10E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF68100 RtlSetProcessDebugInformation,ZwUnmapViewOfSection,RtlExitUserThread,	0_2_6CF68100
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF942F9 ZwQueryVirtualMemory,ZwQueryVirtualMemory,RtlImageDirectoryEntryToData,	0_2_6CF942F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242F0 ZwSerializeBoot,	0_2_6CF242F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA02F4 ZwPowerInformation,ZwClose,	0_2_6CFA02F4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF02E1 RtlEnterCriticalSection,RtlAllocateHeap,RtlLeaveCriticalSection,RtlReAllocateHeap,RtlLeaveCriticalSection,ZwProtectVirtualMemory,RtlLeaveCriticalSection,	0_2_6CEF02E1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242E0 ZwSecureConnectPort,	0_2_6CF242E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C2E0 RtlQueryWnfMetaNotification,ZwQueryWnfStateNameInformation,	0_2_6CF6C2E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242D0 ZwSaveMergedKeys,	0_2_6CF242D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB62D6 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_6CFB62D6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242C0 ZwSaveKeyEx,	0_2_6CF242C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF622C5 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_6CF622C5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF702C0 RtlQueryImageMitigationPolicy,RtlInitUnicodeStringEx,RtlInitUnicodeStringEx,ZwOpenKey,ZwQueryValueKey,ZwClose,memcpy,RtlQueryImageMitigationPolicy,	0_2_6CF702C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242B0 ZwSaveKey,	0_2_6CF242B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF242A0 ZwRollforwardTransactionManager,	0_2_6CF242A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF762A0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap,	0_2_6CF762A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF22B0 RtlSleepConditionVariableSRW,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlSleepConditionVariableSRW,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,	0_2_6CEF22B0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF22AE0: ZwDeviceIoControlFile,

0_2_6CF22AE0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF246F0 ZwUnloadDriver,

0_2_6CF246F0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0CF2	0_2_6CEE0CF2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0C00	0_2_6CEF0C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF8DC0	0_2_6CEF8DC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08DBF	0_2_6CF08DBF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8CD1F	0_2_6CF8CD1F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFAD00	0_2_6CEFAD00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAEEDB	0_2_6CFAEEDB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFACE93	0_2_6CFACE93
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0E59	0_2_6CEF0E59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAEE26	0_2_6CFAEE26
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2FC8	0_2_6CEE2FC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6EFA0	0_2_6CF6EFA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64F40	0_2_6CF64F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF10F30	0_2_6CF10F30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF92F30	0_2_6CF92F30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF32F28	0_2_6CF32F28
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E8F0	0_2_6CF1E8F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED68B8	0_2_6CED68B8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF28890	0_2_6CF28890
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9C87C	0_2_6CF9C87C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFA840	0_2_6CEFA840
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBA9A6	0_2_6CFBA9A6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06962	0_2_6CF06962
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA6BD7	0_2_6CFA6BD7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAEB89	0_2_6CFAEB89
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAAB40	0_2_6CFAAB40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9E4F6	0_2_6CF9E4F6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA2446	0_2_6CFA2446
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94420	0_2_6CF94420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB0591	0_2_6CFB0591
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0C6E0	0_2_6CF0C6E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14750	0_2_6CF14750
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF82000	0_2_6CF82000
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA81CC	0_2_6CFA81CC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB01AA	0_2_6CFB01AA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA41A2	0_2_6CFA41A2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF78158	0_2_6CF78158
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8A118	0_2_6CF8A118
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0100	0_2_6CEE0100
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF702C0	0_2_6CF702C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90274	0_2_6CF90274
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB03E6	0_2_6CFB03E6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFE3F0	0_2_6CEFE3F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAFCF2	0_2_6CFAFCF2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF69C32	0_2_6CF69C32
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF09C20	0_2_6CF09C20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0FDC0	0_2_6CF0FDC0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA7D73	0_2_6CFA7D73
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA1D5A	0_2_6CFA1D5A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF9EB0	0_2_6CEF9EB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEB3FD2	0_2_6CEB3FD2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEB3FD5	0_2_6CEB3FD5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAFFB1	0_2_6CFAFFB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF1F92	0_2_6CEF1F92
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAFF09	0_2_6CFAFF09
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF38E0	0_2_6CEF38E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5D800	0_2_6CF5D800
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF5990	0_2_6CEF5990
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0B950	0_2_6CF0B950
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF85910	0_2_6CF85910
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9DAC6	0_2_6CF9DAC6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF35AA0	0_2_6CF35AA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8DAAC	0_2_6CF8DAAC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF91AA3	0_2_6CF91AA3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF63A6C	0_2_6CF63A6C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAFA49	0_2_6CFAFA49
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA7A46	0_2_6CFA7A46
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF65BF0	0_2_6CF65BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2DBF9	0_2_6CF2DBF9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0FB80	0_2_6CF0FB80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAFB76	0_2_6CFAFB76
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE1460	0_2_6CEE1460
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAF43F	0_2_6CFAF43F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB95C3	0_2_6CFB95C3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8D5B0	0_2_6CF8D5B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA7571	0_2_6CFA7571
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA16CC	0_2_6CFA16CC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF35630	0_2_6CF35630
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE17EC	0_2_6CEE17EC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF797EA	0_2_6CF797EA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAF7B0	0_2_6CFAF7B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8D710	0_2_6CF8D710
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA70E9	0_2_6CFA70E9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAF0E0	0_2_6CFAF0E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9F0CC	0_2_6CF9F0CC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFB1B0	0_2_6CEFB1B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFBB16B	0_2_6CFBB16B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2516C	0_2_6CF2516C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDF172	0_2_6CEDF172
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0D2F0	0_2_6CF0D2F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF912ED	0_2_6CF912ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0B2C0	0_2_6CF0B2C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF52A0	0_2_6CEF52A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA132D	0_2_6CFA132D

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CEDB970 appears 249 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CF37E54 appears 150 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CEF25B0 appears 33 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CF25130 appears 53 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CF5EA12 appears 78 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CF37EB0 appears 34 times
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: String function: 6CF6F290 appears 104 times

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 564

Source: ~TMF551.tmp.0.dr

Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: ~TMF551.tmp.0.dr

Static PE information: No import functions for PE file found

Source: FgfPZQyCMj.exe, 00000000.00000000.1677462226.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSAFlashPlayer.exe@ vs FgfPZQyCMj.exe
Source: FgfPZQyCMj.exe, 00000000.00000002.2041929951.000000006CFDD000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FgfPZQyCMj.exe
Source: FgfPZQyCMj.exe	Binary or memory string: OriginalFilenameSAFlashPlayer.exe@ vs FgfPZQyCMj.exe

Source: FgfPZQyCMj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE	Matched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
Source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
Source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
Source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
Source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload

Source: ~TMF551.tmp.0.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_00401750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,

0_2_00401750

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: RtlAppxIsFileOwnedByTrustedInstaller,ZwQuerySecurityObject,RtlAllocateHeap,ZwQuerySecurityObject,RtlGetOwnerSecurityDescriptor,RtlCreateServiceSid,RtlAllocateHeap,RtlCreateServiceSid,RtlEqualSid,RtlFreeHeap,RtlFreeHeap,		0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: RtlCreateServiceSid,RtlUpcaseUnicodeString,A_SHAInit,A_SHAUpdate,A_SHAFinal,RtlFreeUnicodeString,RtlInitializeSid,RtlCreateServiceSid,		0_2_6CEDC230

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_00402390 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,

0_2_00402390

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

File created: C:\Users\user\AppData\Local\Temp\~TMF551.tmp

Jump to behavior

Source: FgfPZQyCMj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FgfPZQyCMj.exe	Virustotal: Detection: 93%
Source: FgfPZQyCMj.exe	ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\FgfPZQyCMj.exe "C:\Users\user\Desktop\FgfPZQyCMj.exe"
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 564

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Section loaded: ntmarta.dll	Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: FgfPZQyCMj.exe, 00000000.00000002.2041798965.000000006CEB1000.00000020.00000001.01000000.00000004.sdmp, ~TMF551.tmp.0.dr
Source:	Binary string: wntdll.pdb source: FgfPZQyCMj.exe, FgfPZQyCMj.exe, 00000000.00000002.2041798965.000000006CEB1000.00000020.00000001.01000000.00000004.sdmp, ~TMF551.tmp.0.dr

Source: FgfPZQyCMj.exe

Static PE information: real checksum: 0x14df2 should be: 0xf3a8

Source: FgfPZQyCMj.exe	Static PE information: section name: .text1
Source: ~TMF551.tmp.0.dr	Static PE information: section name: RT
Source: ~TMF551.tmp.0.dr	Static PE information: section name: .mrdata
Source: ~TMF551.tmp.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_00400F2F push 68C9B01Eh; ret	0_2_00400F3B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEB283D push eax; iretd	0_2_6CEB2858
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE09AD push ecx; mov dword ptr [esp], ecx	0_2_6CEE09B6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEB27FA pushad ; ret	0_2_6CEB27F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEB225F pushad ; ret	0_2_6CEB27F9

Source: ~TMF551.tmp.0.dr

Static PE information: section name: .text entropy: 6.844715065913507

Persistence and Installation Behavior

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

File created: C:\Users\user\AppData\Local\Temp\~TMF551.tmp

Jump to dropped file

Boot Survival

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\~TMF551.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_00401988 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00401988

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_0040304C Sleep,ExitProcess,

0_2_0040304C

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CEE28F0 rdtsc

0_2_6CEE28F0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\~TMF551.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-80255

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

API coverage: 0.5 %

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_004011F8 FindFirstFileA,FindClose,

0_2_004011F8

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

API call chain: ExitProcess graph end node

graph_0-80225

Anti Debugging

Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF6F340 DbgSetDebugFilterState,

0_2_6CF6F340

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CEE28F0 rdtsc

0_2_6CEE28F0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_00402E00 GetModuleHandleA,CopyFileA,LdrInitializeThunk,DeleteFileA,GlobalFree,GlobalFree,

0_2_00402E00

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF66FE0 RtlQueryProcessDebugInformation,memset,ZwOpenProcess,ZwOpenProcess,RtlWow64GetProcessMachines,ZwClose,ZwClose,ZwWow64CallFunction64,RtlpQueryProcessDebugInformationRemote,ZwWaitForSingleObject,ZwQueryInformationThread,ZwTerminateThread,ZwClose,ZwClose,RtlQueryProcessBackTraceInformation,RtlQueryProcessLockInformation,RtlQueryProcessHeapInformation,ZwClose,

0_2_6CF66FE0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF12CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF12CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF12CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12CF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF12CF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCCC8 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCCC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8CD0 mov eax, dword ptr fs:[00000030h]	0_2_6CED8CD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08CB1 mov eax, dword ptr fs:[00000030h]	0_2_6CF08CB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08CB1 mov eax, dword ptr fs:[00000030h]	0_2_6CF08CB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF90CB5 mov eax, dword ptr fs:[00000030h]	0_2_6CF90CB5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CCA0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CCA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF5CCA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8C8D mov eax, dword ptr fs:[00000030h]	0_2_6CED8C8D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AC60 mov eax, dword ptr fs:[00000030h]	0_2_6CF7AC60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AC60 mov eax, dword ptr fs:[00000030h]	0_2_6CF7AC60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14C59 mov eax, dword ptr fs:[00000030h]	0_2_6CF14C59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEAC50 mov eax, dword ptr fs:[00000030h]	0_2_6CEEAC50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6C50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6C50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6C50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6C50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov eax, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84C34 mov ecx, dword ptr fs:[00000030h]	0_2_6CF84C34
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEC20 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEC20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7CC20 mov eax, dword ptr fs:[00000030h]	0_2_6CF7CC20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7CC20 mov eax, dword ptr fs:[00000030h]	0_2_6CF7CC20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CEF0C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CEF0C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CEF0C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0C00 mov eax, dword ptr fs:[00000030h]	0_2_6CEF0C00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CC00 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CC00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64C0F mov eax, dword ptr fs:[00000030h]	0_2_6CF64C0F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0CDF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF0CDF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0CDF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF0CDF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCDEA mov eax, dword ptr fs:[00000030h]	0_2_6CEDCDEA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCDEA mov eax, dword ptr fs:[00000030h]	0_2_6CEDCDEA
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80DF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF80DF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80DF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF80DF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00DE1 mov eax, dword ptr fs:[00000030h]	0_2_6CF00DE1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED6DF6 mov eax, dword ptr fs:[00000030h]	0_2_6CED6DF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64DD7 mov eax, dword ptr fs:[00000030h]	0_2_6CF64DD7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64DD7 mov eax, dword ptr fs:[00000030h]	0_2_6CF64DD7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EDD3 mov eax, dword ptr fs:[00000030h]	0_2_6CF0EDD3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EDD3 mov eax, dword ptr fs:[00000030h]	0_2_6CF0EDD3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CDB1 mov ecx, dword ptr fs:[00000030h]	0_2_6CF1CDB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CDB1 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CDB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CDB1 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CDB1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08DBF mov eax, dword ptr fs:[00000030h]	0_2_6CF08DBF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF08DBF mov eax, dword ptr fs:[00000030h]	0_2_6CF08DBF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16DA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF16DA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA8DAE mov eax, dword ptr fs:[00000030h]	0_2_6CFA8DAE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA8DAE mov eax, dword ptr fs:[00000030h]	0_2_6CFA8DAE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4DAD mov eax, dword ptr fs:[00000030h]	0_2_6CFB4DAD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF78D6B mov eax, dword ptr fs:[00000030h]	0_2_6CF78D6B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8D59 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8D59
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4D30 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4D30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF68D20 mov eax, dword ptr fs:[00000030h]	0_2_6CF68D20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF98D10 mov eax, dword ptr fs:[00000030h]	0_2_6CF98D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF98D10 mov eax, dword ptr fs:[00000030h]	0_2_6CF98D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14D1D mov eax, dword ptr fs:[00000030h]	0_2_6CF14D1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CEFAD00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CEFAD00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFAD00 mov eax, dword ptr fs:[00000030h]	0_2_6CEFAD00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CED6D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CED6D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED6D10 mov eax, dword ptr fs:[00000030h]	0_2_6CED6D10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18EF5 mov eax, dword ptr fs:[00000030h]	0_2_6CF18EF5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6EE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6EE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6EE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6EE0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6EE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96ED0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF96ED0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AEB0 mov eax, dword ptr fs:[00000030h]	0_2_6CF7AEB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7AEB0 mov eax, dword ptr fs:[00000030h]	0_2_6CF7AEB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96EB0 mov eax, dword ptr fs:[00000030h]	0_2_6CF96EB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6CEA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6CEA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CEA0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6CEA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12E9C mov eax, dword ptr fs:[00000030h]	0_2_6CF12E9C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12E9C mov ecx, dword ptr fs:[00000030h]	0_2_6CF12E9C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CEDAE90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CEDAE90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDAE90 mov eax, dword ptr fs:[00000030h]	0_2_6CEDAE90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CF60E7F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CF60E7F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60E7F mov eax, dword ptr fs:[00000030h]	0_2_6CF60E7F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6E71 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6E71
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2E4F mov eax, dword ptr fs:[00000030h]	0_2_6CFB2E4F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2E4F mov eax, dword ptr fs:[00000030h]	0_2_6CFB2E4F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEE5A mov eax, dword ptr fs:[00000030h]	0_2_6CEDEE5A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14E30 mov eax, dword ptr fs:[00000030h]	0_2_6CF14E30
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76E20 mov eax, dword ptr fs:[00000030h]	0_2_6CF76E20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76E20 mov eax, dword ptr fs:[00000030h]	0_2_6CF76E20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76E20 mov ecx, dword ptr fs:[00000030h]	0_2_6CF76E20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18E1A mov eax, dword ptr fs:[00000030h]	0_2_6CF18E1A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8E1D mov eax, dword ptr fs:[00000030h]	0_2_6CED8E1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov ecx, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AE00 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AE00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CF20FF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CF20FF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CF20FF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF20FF6 mov eax, dword ptr fs:[00000030h]	0_2_6CF20FF6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96FF7 mov eax, dword ptr fs:[00000030h]	0_2_6CF96FF7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFCFE0 mov eax, dword ptr fs:[00000030h]	0_2_6CEFCFE0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4FE7 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4FE7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8FF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CED8FF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8FF0 mov eax, dword ptr fs:[00000030h]	0_2_6CED8FF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2FC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2FC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2FC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2FC8 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2FC8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEFD8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEFD8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEFD8 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEFD8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12F98 mov eax, dword ptr fs:[00000030h]	0_2_6CF12F98
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12F98 mov eax, dword ptr fs:[00000030h]	0_2_6CF12F98
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CF80 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CF80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16F60 mov eax, dword ptr fs:[00000030h]	0_2_6CF16F60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16F60 mov eax, dword ptr fs:[00000030h]	0_2_6CF16F60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4F68 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4F68
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF82F60 mov eax, dword ptr fs:[00000030h]	0_2_6CF82F60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF82F60 mov eax, dword ptr fs:[00000030h]	0_2_6CF82F60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AF69 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AF69
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0AF69 mov eax, dword ptr fs:[00000030h]	0_2_6CF0AF69
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CF50 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF80F50 mov eax, dword ptr fs:[00000030h]	0_2_6CF80F50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CF64F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CF64F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CF64F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64F40 mov eax, dword ptr fs:[00000030h]	0_2_6CF64F40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84F42 mov eax, dword ptr fs:[00000030h]	0_2_6CF84F42
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCF50 mov eax, dword ptr fs:[00000030h]	0_2_6CEDCF50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EF28 mov eax, dword ptr fs:[00000030h]	0_2_6CF0EF28
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF24F10 mov eax, dword ptr fs:[00000030h]	0_2_6CF24F10
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CF1F mov eax, dword ptr fs:[00000030h]	0_2_6CF1CF1F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF96F00 mov eax, dword ptr fs:[00000030h]	0_2_6CF96F00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2F12 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2F12
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C8F9 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C8F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C8F9 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C8F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE28F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE28F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAA8E4 mov eax, dword ptr fs:[00000030h]	0_2_6CFAA8E4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E8C0 mov eax, dword ptr fs:[00000030h]	0_2_6CF0E8C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB08C0 mov eax, dword ptr fs:[00000030h]	0_2_6CFB08C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0887 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0887
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C89D mov eax, dword ptr fs:[00000030h]	0_2_6CF6C89D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E872 mov eax, dword ptr fs:[00000030h]	0_2_6CF6E872
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E872 mov eax, dword ptr fs:[00000030h]	0_2_6CF6E872
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76870 mov eax, dword ptr fs:[00000030h]	0_2_6CF76870
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76870 mov eax, dword ptr fs:[00000030h]	0_2_6CF76870
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF10854 mov eax, dword ptr fs:[00000030h]	0_2_6CF10854
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE4859 mov eax, dword ptr fs:[00000030h]	0_2_6CEE4859
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE4859 mov eax, dword ptr fs:[00000030h]	0_2_6CEE4859
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A830 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A830
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8483A mov eax, dword ptr fs:[00000030h]	0_2_6CF8483A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8483A mov eax, dword ptr fs:[00000030h]	0_2_6CF8483A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov eax, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov eax, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov eax, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov ecx, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov eax, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF02835 mov eax, dword ptr fs:[00000030h]	0_2_6CF02835
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C810 mov eax, dword ptr fs:[00000030h]	0_2_6CF6C810
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF129F9 mov eax, dword ptr fs:[00000030h]	0_2_6CF129F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF129F9 mov eax, dword ptr fs:[00000030h]	0_2_6CF129F9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E9E0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6E9E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF149D0 mov eax, dword ptr fs:[00000030h]	0_2_6CF149D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAA9D3 mov eax, dword ptr fs:[00000030h]	0_2_6CFAA9D3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF769C0 mov eax, dword ptr fs:[00000030h]	0_2_6CF769C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEA9D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEEA9D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE09AD mov eax, dword ptr fs:[00000030h]	0_2_6CEE09AD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE09AD mov eax, dword ptr fs:[00000030h]	0_2_6CEE09AD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF689B3 mov esi, dword ptr fs:[00000030h]	0_2_6CF689B3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF689B3 mov eax, dword ptr fs:[00000030h]	0_2_6CF689B3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF689B3 mov eax, dword ptr fs:[00000030h]	0_2_6CF689B3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF29A0 mov eax, dword ptr fs:[00000030h]	0_2_6CEF29A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84978 mov eax, dword ptr fs:[00000030h]	0_2_6CF84978
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF84978 mov eax, dword ptr fs:[00000030h]	0_2_6CF84978
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C970 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C970
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C970 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C970
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C97C mov eax, dword ptr fs:[00000030h]	0_2_6CF6C97C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06962 mov eax, dword ptr fs:[00000030h]	0_2_6CF06962
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06962 mov eax, dword ptr fs:[00000030h]	0_2_6CF06962
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF06962 mov eax, dword ptr fs:[00000030h]	0_2_6CF06962
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2096E mov eax, dword ptr fs:[00000030h]	0_2_6CF2096E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2096E mov edx, dword ptr fs:[00000030h]	0_2_6CF2096E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2096E mov eax, dword ptr fs:[00000030h]	0_2_6CF2096E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A950 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A950
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF60946 mov eax, dword ptr fs:[00000030h]	0_2_6CF60946
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4940 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4940
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6892A mov eax, dword ptr fs:[00000030h]	0_2_6CF6892A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF7892B mov eax, dword ptr fs:[00000030h]	0_2_6CF7892B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C912 mov eax, dword ptr fs:[00000030h]	0_2_6CF6C912
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8918 mov eax, dword ptr fs:[00000030h]	0_2_6CED8918
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8918 mov eax, dword ptr fs:[00000030h]	0_2_6CED8918
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E908 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E908
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E908 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E908
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1AAEE mov eax, dword ptr fs:[00000030h]	0_2_6CF1AAEE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1AAEE mov eax, dword ptr fs:[00000030h]	0_2_6CF1AAEE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CF14AD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CF14AD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0AD0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0AD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CF36ACC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CF36ACC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF36ACC mov eax, dword ptr fs:[00000030h]	0_2_6CF36ACC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8AA0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8AA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8AA0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8AA0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF36AA4 mov eax, dword ptr fs:[00000030h]	0_2_6CF36AA4
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18A90 mov edx, dword ptr fs:[00000030h]	0_2_6CF18A90
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEDEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEEEA80 mov eax, dword ptr fs:[00000030h]	0_2_6CEEEA80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4A80 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4A80
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CA72 mov eax, dword ptr fs:[00000030h]	0_2_6CF5CA72
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5CA72 mov eax, dword ptr fs:[00000030h]	0_2_6CF5CA72
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8EA60 mov eax, dword ptr fs:[00000030h]	0_2_6CF8EA60
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CF1CA6F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CF1CA6F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CA6F mov eax, dword ptr fs:[00000030h]	0_2_6CF1CA6F
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF10A50 mov eax, dword ptr fs:[00000030h]	0_2_6CF10A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0A5B mov eax, dword ptr fs:[00000030h]	0_2_6CEF0A5B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0A5B mov eax, dword ptr fs:[00000030h]	0_2_6CEF0A5B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE6A50 mov eax, dword ptr fs:[00000030h]	0_2_6CEE6A50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF04A35 mov eax, dword ptr fs:[00000030h]	0_2_6CF04A35
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF04A35 mov eax, dword ptr fs:[00000030h]	0_2_6CF04A35
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CA38 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CA38
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1CA24 mov eax, dword ptr fs:[00000030h]	0_2_6CF1CA24
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EA2E mov eax, dword ptr fs:[00000030h]	0_2_6CF0EA2E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CA11 mov eax, dword ptr fs:[00000030h]	0_2_6CF6CA11
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8A00 mov eax, dword ptr fs:[00000030h]	0_2_6CED8A00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8A00 mov eax, dword ptr fs:[00000030h]	0_2_6CED8A00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18BF0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF18BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF18BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF18BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6CBF0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6CBF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EBFC mov eax, dword ptr fs:[00000030h]	0_2_6CF0EBFC
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8BF0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8BF0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CEE0BCD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CEE0BCD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0BCD mov eax, dword ptr fs:[00000030h]	0_2_6CEE0BCD
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8EBD0 mov eax, dword ptr fs:[00000030h]	0_2_6CF8EBD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CF00BCB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CF00BCB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF00BCB mov eax, dword ptr fs:[00000030h]	0_2_6CF00BCB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94BB0 mov eax, dword ptr fs:[00000030h]	0_2_6CF94BB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94BB0 mov eax, dword ptr fs:[00000030h]	0_2_6CF94BB0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0BBE mov eax, dword ptr fs:[00000030h]	0_2_6CEF0BBE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF0BBE mov eax, dword ptr fs:[00000030h]	0_2_6CEF0BBE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDCB7E mov eax, dword ptr fs:[00000030h]	0_2_6CEDCB7E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8EB50 mov eax, dword ptr fs:[00000030h]	0_2_6CF8EB50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CFB2B57
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CFB2B57
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CFB2B57
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB2B57 mov eax, dword ptr fs:[00000030h]	0_2_6CFB2B57
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94B4B mov eax, dword ptr fs:[00000030h]	0_2_6CF94B4B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF94B4B mov eax, dword ptr fs:[00000030h]	0_2_6CF94B4B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76B40 mov eax, dword ptr fs:[00000030h]	0_2_6CF76B40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76B40 mov eax, dword ptr fs:[00000030h]	0_2_6CF76B40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF88B42 mov eax, dword ptr fs:[00000030h]	0_2_6CF88B42
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFAAB40 mov eax, dword ptr fs:[00000030h]	0_2_6CFAAB40
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED8B50 mov eax, dword ptr fs:[00000030h]	0_2_6CED8B50
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EB20 mov eax, dword ptr fs:[00000030h]	0_2_6CF0EB20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0EB20 mov eax, dword ptr fs:[00000030h]	0_2_6CF0EB20
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5EB1D mov eax, dword ptr fs:[00000030h]	0_2_6CF5EB1D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4B00 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4B00
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE04E5 mov ecx, dword ptr fs:[00000030h]	0_2_6CEE04E5
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF144B0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF144B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE64AB mov eax, dword ptr fs:[00000030h]	0_2_6CEE64AB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6A4B0 mov eax, dword ptr fs:[00000030h]	0_2_6CF6A4B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A49A mov eax, dword ptr fs:[00000030h]	0_2_6CF9A49A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CF0A470
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CF0A470
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0A470 mov eax, dword ptr fs:[00000030h]	0_2_6CF0A470
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6C460 mov ecx, dword ptr fs:[00000030h]	0_2_6CF6C460
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0245A mov eax, dword ptr fs:[00000030h]	0_2_6CF0245A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF9A456 mov eax, dword ptr fs:[00000030h]	0_2_6CF9A456
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED645D mov eax, dword ptr fs:[00000030h]	0_2_6CED645D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E443 mov eax, dword ptr fs:[00000030h]	0_2_6CF1E443
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A430 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A430
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC427 mov eax, dword ptr fs:[00000030h]	0_2_6CEDC427
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CEDE420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CEDE420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDE420 mov eax, dword ptr fs:[00000030h]	0_2_6CEDE420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66420 mov eax, dword ptr fs:[00000030h]	0_2_6CF66420
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18402 mov eax, dword ptr fs:[00000030h]	0_2_6CF18402
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18402 mov eax, dword ptr fs:[00000030h]	0_2_6CF18402
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18402 mov eax, dword ptr fs:[00000030h]	0_2_6CF18402
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE25E0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE25E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C5ED mov eax, dword ptr fs:[00000030h]	0_2_6CF1C5ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C5ED mov eax, dword ptr fs:[00000030h]	0_2_6CF1C5ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A5D0 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A5D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A5D0 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A5D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E5CF mov eax, dword ptr fs:[00000030h]	0_2_6CF1E5CF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E5CF mov eax, dword ptr fs:[00000030h]	0_2_6CF1E5CF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE65D0 mov eax, dword ptr fs:[00000030h]	0_2_6CEE65D0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF045B1 mov eax, dword ptr fs:[00000030h]	0_2_6CF045B1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF045B1 mov eax, dword ptr fs:[00000030h]	0_2_6CF045B1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2582 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2582
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2582 mov ecx, dword ptr fs:[00000030h]	0_2_6CEE2582
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA580 mov ecx, dword ptr fs:[00000030h]	0_2_6CEDA580
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA580 mov eax, dword ptr fs:[00000030h]	0_2_6CEDA580
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1E59C mov eax, dword ptr fs:[00000030h]	0_2_6CF1E59C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF14588 mov eax, dword ptr fs:[00000030h]	0_2_6CF14588
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8550 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8550
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8550 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8550
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CF0E53E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CF0E53E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CF0E53E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CF0E53E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0E53E mov eax, dword ptr fs:[00000030h]	0_2_6CF0E53E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76500 mov eax, dword ptr fs:[00000030h]	0_2_6CF76500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFB4500 mov eax, dword ptr fs:[00000030h]	0_2_6CFB4500
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E6F2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E6F2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E6F2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E6F2 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E6F2
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF606F1 mov eax, dword ptr fs:[00000030h]	0_2_6CF606F1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF606F1 mov eax, dword ptr fs:[00000030h]	0_2_6CF606F1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A6C7 mov ebx, dword ptr fs:[00000030h]	0_2_6CF1A6C7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A6C7 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A6C7
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF166B0 mov eax, dword ptr fs:[00000030h]	0_2_6CF166B0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C6A6 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C6A6
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE4690 mov eax, dword ptr fs:[00000030h]	0_2_6CEE4690
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE4690 mov eax, dword ptr fs:[00000030h]	0_2_6CEE4690
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF12674 mov eax, dword ptr fs:[00000030h]	0_2_6CF12674
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A660 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A660
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A660 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A660
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFC640 mov eax, dword ptr fs:[00000030h]	0_2_6CEFC640
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE262C mov eax, dword ptr fs:[00000030h]	0_2_6CEE262C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEFE627 mov eax, dword ptr fs:[00000030h]	0_2_6CEFE627
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF16620 mov eax, dword ptr fs:[00000030h]	0_2_6CF16620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF18620 mov eax, dword ptr fs:[00000030h]	0_2_6CF18620
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEF260B mov eax, dword ptr fs:[00000030h]	0_2_6CEF260B
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22619 mov eax, dword ptr fs:[00000030h]	0_2_6CF22619
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5E609 mov eax, dword ptr fs:[00000030h]	0_2_6CF5E609
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C7F0 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C7F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE47FB mov eax, dword ptr fs:[00000030h]	0_2_6CEE47FB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE47FB mov eax, dword ptr fs:[00000030h]	0_2_6CEE47FB
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E7E1 mov eax, dword ptr fs:[00000030h]	0_2_6CF6E7E1
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF027ED mov eax, dword ptr fs:[00000030h]	0_2_6CF027ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF027ED mov eax, dword ptr fs:[00000030h]	0_2_6CF027ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF027ED mov eax, dword ptr fs:[00000030h]	0_2_6CF027ED
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF067C0 mov eax, dword ptr fs:[00000030h]	0_2_6CF067C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF067C0 mov eax, dword ptr fs:[00000030h]	0_2_6CF067C0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF607C3 mov eax, dword ptr fs:[00000030h]	0_2_6CF607C3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE07AF mov eax, dword ptr fs:[00000030h]	0_2_6CEE07AF
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF947A0 mov eax, dword ptr fs:[00000030h]	0_2_6CF947A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF8678E mov eax, dword ptr fs:[00000030h]	0_2_6CF8678E
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE8770 mov eax, dword ptr fs:[00000030h]	0_2_6CEE8770
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22750 mov eax, dword ptr fs:[00000030h]	0_2_6CF22750
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF22750 mov eax, dword ptr fs:[00000030h]	0_2_6CF22750
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64755 mov eax, dword ptr fs:[00000030h]	0_2_6CF64755
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF6E75D mov eax, dword ptr fs:[00000030h]	0_2_6CF6E75D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA740 mov eax, dword ptr fs:[00000030h]	0_2_6CEDA740
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1674D mov esi, dword ptr fs:[00000030h]	0_2_6CF1674D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1674D mov eax, dword ptr fs:[00000030h]	0_2_6CF1674D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1674D mov eax, dword ptr fs:[00000030h]	0_2_6CF1674D
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0750 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0750
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF5C730 mov eax, dword ptr fs:[00000030h]	0_2_6CF5C730
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1273C mov eax, dword ptr fs:[00000030h]	0_2_6CF1273C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1273C mov ecx, dword ptr fs:[00000030h]	0_2_6CF1273C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1273C mov eax, dword ptr fs:[00000030h]	0_2_6CF1273C
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C720 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C720
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C720 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C720
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF10710 mov eax, dword ptr fs:[00000030h]	0_2_6CF10710
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C700 mov eax, dword ptr fs:[00000030h]	0_2_6CF1C700
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0710 mov eax, dword ptr fs:[00000030h]	0_2_6CEE0710
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF220F0 mov ecx, dword ptr fs:[00000030h]	0_2_6CF220F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE80E9 mov eax, dword ptr fs:[00000030h]	0_2_6CEE80E9
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA0E3 mov ecx, dword ptr fs:[00000030h]	0_2_6CEDA0E3
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF660E0 mov eax, dword ptr fs:[00000030h]	0_2_6CF660E0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC0F0 mov eax, dword ptr fs:[00000030h]	0_2_6CEDC0F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF620DE mov eax, dword ptr fs:[00000030h]	0_2_6CF620DE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA60B8 mov eax, dword ptr fs:[00000030h]	0_2_6CFA60B8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CFA60B8 mov ecx, dword ptr fs:[00000030h]	0_2_6CFA60B8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CED80A0 mov eax, dword ptr fs:[00000030h]	0_2_6CED80A0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF780A8 mov eax, dword ptr fs:[00000030h]	0_2_6CF780A8
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE208A mov eax, dword ptr fs:[00000030h]	0_2_6CEE208A
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF0C073 mov eax, dword ptr fs:[00000030h]	0_2_6CF0C073
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1A060 mov eax, dword ptr fs:[00000030h]	0_2_6CF1A060
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF66050 mov eax, dword ptr fs:[00000030h]	0_2_6CF66050
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE2050 mov eax, dword ptr fs:[00000030h]	0_2_6CEE2050
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF76030 mov eax, dword ptr fs:[00000030h]	0_2_6CF76030
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDA020 mov eax, dword ptr fs:[00000030h]	0_2_6CEDA020
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDC020 mov eax, dword ptr fs:[00000030h]	0_2_6CEDC020
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF64000 mov ecx, dword ptr fs:[00000030h]	0_2_6CF64000
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF82000 mov eax, dword ptr fs:[00000030h]	0_2_6CF82000
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF82000 mov eax, dword ptr fs:[00000030h]	0_2_6CF82000

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF86F80 RtlGetProcessHeaps,RtlDebugPrintTimes,

0_2_6CF86F80

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF1C1F0 RtlSetUnhandledExceptionFilter,RtlSetUnhandledExceptionFilter,ZwQueryInformationProcess,RtlRaiseStatus,		0_2_6CF1C1F0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEDB120 RtlAddVectoredExceptionHandler,		0_2_6CEDB120

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF76500 RtlAllocateAndInitializeSidEx,RtlAllocateHeap,

0_2_6CF76500

Source: FgfPZQyCMj.exe, FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FgfPZQyCMj.exe, 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: u~TM\/{%08X-%04X-%04X-%04X-%08X%04X}SeDebugPrivilege%ProgramFiles%\Internet Explorer\iexplore.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXEhttp\shell\open\commandchrome.exeShell_TrayWndntdll.dll

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF235D0 ZwCreateNamedPipeFile,

0_2_6CF235D0

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF0BC20 RtlGetSystemTimePrecise,RtlQueryPerformanceCounter,_allshl,RtlGetSystemTimePrecise,

0_2_6CF0BC20

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe

Code function: 0_2_6CF94420 RtlVerifyVersionInfo,memset,RtlGetVersion,

0_2_6CF94420

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

Remote Access Functionality

Yara detected Ramnit

Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FgfPZQyCMj.exe.40529f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FgfPZQyCMj.exe PID: 7580, type: MEMORYSTR

Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2EC72 __raise_exc,WinSqmStartSqmOptinListener,	0_2_6CF2EC72
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CEE0770 WinSqmStartSqmOptinListener,	0_2_6CEE0770
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2DEAE WinSqmStartSqmOptinListener,	0_2_6CF2DEAE
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF23AD0 ZwListenPort,	0_2_6CF23AD0
Source: C:\Users\user\Desktop\FgfPZQyCMj.exe	Code function: 0_2_6CF2D492 WinSqmStartSqmOptinListener,WinSqmStartSqmOptinListener,_errno,WinSqmStartSqmOptinListener,_errno,	0_2_6CF2D492

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 DLL Side-Loading	1 Windows Service	1 Access Token Manipulation	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	3 Process Injection	3 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FgfPZQyCMj.exe	93%	Virustotal		Browse
FgfPZQyCMj.exe	97%	ReversingLabs	Win32.Infostealer.Zeus
FgfPZQyCMj.exe	100%	Avira	TR/Spy.Zbot.web
FgfPZQyCMj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~TMF551.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\~TMF551.tmp	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1598922
Start date and time:	2025-01-24 22:00:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FgfPZQyCMj.exe renamed because original name is a hash value
Original Sample Name:	1a70f6117a1037361889817c2d0b0394ed7d892f1a158724bbcf83f7da46af68.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 9 Number of non-executed functions: 473
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.31.69, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
16:01:34	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\~TMF551.tmp	Jw1Ua7eGIy	Get hash	malicious	Unknown	Browse
	2019-09-02_22-41-10.exe	Get hash	malicious	SmokeLoader	Browse
	0di3x.exe	Get hash	malicious	SmokeLoader	Browse
	S17.exe	Get hash	malicious	Unknown	Browse
	S12.exe	Get hash	malicious	Unknown	Browse
	215.exe	Get hash	malicious	Unknown	Browse
	S4.exe	Get hash	malicious	Unknown	Browse
	208.exe	Get hash	malicious	Unknown	Browse
	99.exe	Get hash	malicious	Unknown	Browse
	211.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FgfPZQyCMj.exe_aeb441fe026b54dc7bbcea91c212e4c3f0d182_da7fa28b_910b21c2-7b35-461f-b4d6-fa054dfaede5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7958536672970988
Encrypted:	false
SSDEEP:	96:pCFyOzi4K0oWOs0O4oa7Jf3QXIDcQ6gc66N6cEacw3P+HbHg/8BRTf3WrLEfIjUu:4nzBHxOc0ThAYjwxzuiFxZ24IO8+
MD5:	70C8AB9855DCEF9430FD19478F2D7FD4
SHA1:	0A8E3824700A1246EECFB23744F8D0620ACF77D0
SHA-256:	AA8492E78148F1F2D70A6F0EB21DAB2883EC604DCD1982043CB8214A327ABF9A
SHA-512:	7F53158C741A23CECF11411AAA6BE10526628591E6BF969B8B84C456A1C0E1BF5FD17E3167D714C69D7B13579F11BBE7A4E66474B5DAA3AC3217F73D90AF039B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.2.2.6.0.5.9.1.9.1.5.2.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.2.2.6.0.5.9.5.9.7.7.7.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.0.b.2.1.c.2.-.7.b.3.5.-.4.6.1.f.-.b.4.d.6.-.f.a.0.5.4.d.f.a.e.d.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.c.a.d.0.9.1.-.7.f.b.9.-.4.5.c.5.-.8.7.d.d.-.6.9.f.3.2.4.3.b.a.4.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.g.f.P.Z.Q.y.C.M.j...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.A.F.l.a.s.h.P.l.a.y.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.c.-.0.0.0.1.-.0.0.1.4.-.9.b.a.7.-.4.0.1.1.a.3.6.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.3.4.0.c.c.6.a.6.c.0.2.4.3.7.1.4.5.6.8.8.7.b.2.7.6.7.6.9.d.6.0.0.0.0.0.9.0.4.!.0.0.0.0.2.9.6.7.6.e.5.4.9.7.6.c.6.1.7.a.d.b.f.e.4.2.a.e.6.4.2.5.0.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF755.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jan 24 21:00:59 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	32774
Entropy (8bit):	1.9401570419824354
Encrypted:	false
SSDEEP:	96:538oY6EigiRrZttWGy5TX/JLSEhb4i7UusnOIDoyeKeXfgCB081uNlA4WIkWIo8S:yYWcWX/JRJ4OP3KkfgSuNuwnNd3onVA
MD5:	8FD4FB1F97911A37A6DBE7A9853F84FA
SHA1:	FC2B9A287E8B60212A79FEEAA82EB09B7B03762A
SHA-256:	9C430B574550F11D3FB5A7BDC5B6BD689EE99E753616CBAB8E486E78153D2251
SHA-512:	E71EB04AD79806C9385DD84BF51A348D1A159840A2C5B8EB0088C45422791DE2C2D4527FAC2FB8E1DD3AB031912F95A8166CAFA969DB0337816F310EEDAB9082
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................................<$..........T.......8...........T...........P....j..........p...........\...............................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7E2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.702474537617758
Encrypted:	false
SSDEEP:	192:R6l7wVeJa663sQ6Y9cSUOEfgmfUWpDT89bnDsfdtm:R6lXJ/63sQ6YGSUOEfgmfUfnofm
MD5:	2CE7533E2877D73EB08C2E7566B15E4C
SHA1:	148A2E35AB09E9BE364FFCAEF7DFDE3A91417E0B
SHA-256:	076156CAF53A8ECE96997C4DDF9E5291F44B377DF2FDBB9D4175A373DF1D140C
SHA-512:	09E7354D2F135014DE541A2603F03DFB18D3B7A4F6BADAA39884CE9DFAE1F28592729365EB36D6344C80FD36A56A4F61A16CDFB7F6CF9DC05F842F0AE967C78E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF851.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4693
Entropy (8bit):	4.518171261039356
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9GZq6WpW8VY6Ym8M4JEGOqF7j+q8O2OW+lBv/d:uIjf0I7EZq77VCJrDA5+lBv/d
MD5:	9217E04B629F6C39D4DAB76962DD0035
SHA1:	6705AC32E46E541F23F8DDDCE1261CA66D49B421
SHA-256:	614B020915085B644E2FC1DD80BE417F3D2347201115E28AAD2FB283BCC89B8F
SHA-512:	9CE5659EB5125008F4F74D7109C6590023B40E20E7E2F0131E18A5DD76641238D4C95B73AD5D834D2769D9877048F8A6100A6B34932F3C875D906E8325E695C4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="690483" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\~TMF551.tmp

Download File

Process:	C:\Users\user\Desktop\FgfPZQyCMj.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Jw1Ua7eGIy, Detection: malicious, Browse Filename: 2019-09-02_22-41-10.exe, Detection: malicious, Browse Filename: 0di3x.exe, Detection: malicious, Browse Filename: S17.exe, Detection: malicious, Browse Filename: S12.exe, Detection: malicious, Browse Filename: 215.exe, Detection: malicious, Browse Filename: S4.exe, Detection: malicious, Browse Filename: 208.exe, Detection: malicious, Browse Filename: 99.exe, Detection: malicious, Browse Filename: 211.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465663140606055
Encrypted:	false
SSDEEP:	6144:hIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNRdwBCswSb9:iXD94+WlLZMM6YFHP+9
MD5:	592C2D1F4F336C8CEC7557F21A3AC563
SHA1:	F5A288DDFD059E8BF0EA6DB309D0A422742E13CC
SHA-256:	EB4CAD010C4CCDA4CDD19E7979B9DB67A711E31BAE3D3C822223DFCB4CCB09E8
SHA-512:	E4B222C1F23D3501075AFBA5E9653752C7DDEC8741944860DE0FCBC13AB5E5ACE0D7983F4AFB4F70F019DD320E5EA57208585CBF1AB6184707CC6C1CAD431066
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....n...............................................................................................................................................................................................................................................................................................................................................3.%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.193622275532372
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FgfPZQyCMj.exe
File size:	61'440 bytes
MD5:	03cae552e720d61dca3d4d390e874ec0
SHA1:	29676e54976c617adbfe42ae642506f42f6fe00a
SHA256:	1a70f6117a1037361889817c2d0b0394ed7d892f1a158724bbcf83f7da46af68
SHA512:	971b0ac4806170c10656fbdde9680e9a1770574bd17b822bd8405bc928e864c11dd942fcc496d304f94a3ec5becc4c8dccc73222e845b3f5a0d3ad397c36f633
SSDEEP:	1536:/h8Zc0c2TXH53F/y8fnFZTd6Ue6IWVvmfYC+zyl+U8/6OGT:58Zc0hTH53F/y0nzTd6UjIWVvn+oeT
TLSH:	BC53C06375A676CEE4B19F3E82A71D42CB4AB60183AB845D25C2154F0904FC36E9FFA1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.!.z.O.z.O.z.O.z.O.n.O.z.N.8.O.....q.O...@.L.O.../.).O.....q.O.....{.O.....{.O.....{.O.Richz.O.........PE..L.....b9...........

File Icon


Icon Hash:	0dfa7270f031138e

Static PE Info

General

Entrypoint:	0x40122e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x39629816 [Wed Jul 5 02:06:14 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1e03d117f63096a8bda81dae8d1f44b3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 24h
mov dword ptr [esp], esi
push 0040497Ch
mov dword ptr [esp], edx
mov ebx, dword ptr [esp+04h]
add ebx, esi
mov esi, dword ptr [00401104h]
lea esi, dword ptr [edi]
imul dword ptr [esp+78h]
inc edx
call dword ptr [00404BA8h]
sub edx, dword ptr [esp+14h]
xor eax, 38h
add dword ptr [00406CC3h], ecx
add ebx, dword ptr [esp+08h]
mov ebx, 00404CF3h
push ebx
mov esi, 0040109Bh
push esi
call dword ptr [00401110h]
xchg dword ptr [ebp+00h], eax
pop eax
mov dword ptr [00406D4Bh], edx
ret
mov eax, dword ptr [esp+08h]
or esi, eax
sub edx, FFFFFFE8h
push 00000000h
pop edi
mov dword ptr [00406ED7h], edi
lea eax, dword ptr [004050D4h]
sub eax, dword ptr [00401C5Ch]
sub edi, edx
push 00000032h
pop esi
sub esi, dword ptr [0040588Fh]
mov edi, 004050AAh
push edi
lea eax, dword ptr [00401A1Dh]
push eax
call dword ptr [004011BCh]
mov eax, dword ptr [esp]
add edi, dword ptr [00401C43h]
or edi, eax
pop ecx
mov dword ptr [esp], ecx
mov byte ptr [00406A48h], 00000001h
push edi
pop dword ptr [00406EF2h]
call 00007F8B5CF109B9h
push dword ptr [ebp+08h]
or eax, edi
mov byte ptr [00406EB7h], 00000000h
push ebp
call dword ptr [004011A8h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169c	0xa0	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0xd4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1360	0x20	.text
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x216d	0x2200	833972e9769c77fc923ab4103e2b5ab5	False	0.6123621323529411	data	5.472391273380825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x27ac	0x1400	a2353b0cf574f9df6555bb9c49ad36c4	False	0.3173828125	data	3.4803085577885993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0xd4c	0xe00	ba89502c439578f78fdbb4d3684f6869	False	0.3736049107142857	data	4.402830411849275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.text1	0x8000	0xbf51	0x9c00	b18bae01e7df0b304b12f2e21f1f9454	False	0.9678735977564102	data	7.926936531398433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x70e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 16, image size 2048	Norwegian	Norway	0.38086642599277976
RT_GROUP_ICON	0x7990	0x14	data	Norwegian	Norway	1.15
RT_VERSION	0x79a4	0x3a8	data	Finnish	Finland	0.4230769230769231

Imports

DLL	Import
USER32.dll	GetDesktopWindow, DestroyWindow, SetRect, GetWindowRect, EndDialog, LoadBitmapA, GetParent, SetDlgItemTextA, EnableWindow, GetDlgItemTextA, CharNextA, IsWindowVisible, DrawTextA, ScreenToClient, CreateDialogParamA, GetWindowTextA, SystemParametersInfoA, PostQuitMessage, LoadIconA, SetClassLongA, SendDlgItemMessageA, CharPrevA, SetWindowPos, BeginPaint, EndPaint, LoadCursorA, RegisterClassA, GetClientRect, GetDlgItem, FillRect
OLE32.dll	OleInitialize, OleUninitialize, CoCreateInstance
SHLWAPI.dll	PathFileExistsW, PathRemoveBackslashA, SHDeleteValueA
GDI32.dll	GetClipRgn, SetTextColor, SelectObject, CreatePen, CreateRectRgn, OffsetClipRgn, IntersectClipRect, GetStockObject, GetNearestColor, SetBkColor
URLMON.dll	CreateURLMoniker
KERNEL32.dll	GetFileAttributesA, GetVersionExA, FileTimeToSystemTime, SetStdHandle, GetEnvironmentVariableA, InitializeCriticalSection, FindFirstFileA, LeaveCriticalSection, FindClose, lstrlenA, FindVolumeClose, FindNextFileA, LoadLibraryA, GetFileType, CompareStringA, VirtualAlloc, SetConsoleCtrlHandler, SetConsoleMode, FileTimeToLocalFileTime, LCMapStringA, lstrcmpiA, HeapCreate, GetUserDefaultLCID, GetShortPathNameA, WideCharToMultiByte, GetModuleFileNameA, InterlockedExchange, GetLocaleInfoA, GetStringTypeA, GetStdHandle, GetProcessHeap, SetVolumeLabelA, GetFileTime, GetVolumeInformationA, LocalUnlock, IsValidCodePage, GetTimeZoneInformation, GetLocaleInfoW, GetStartupInfoA, GetStringTypeW, GetLocalTime, GetFullPathNameA, GetConsoleScreenBufferInfo, GetModuleHandleExW, IsValidLocale, GetConsoleMode, HeapFree, CreateFileA, VirtualFree, EnumSystemLocalesA, SetHandleCount, ExitProcess, SetEnvironmentVariableA, GetCurrentProcess, FlushFileBuffers, HeapDestroy, ReleaseMutex, GetDriveTypeA, GetDriveTypeA, SetThreadPriorityBoost, GetProcAddress, CreateMutexA, HeapAlloc, LCMapStringW, lstrcpynA, GetModuleHandleA, CompareStringW, SetupComm, GetSystemTime
SHELL32.dll	ExtractIconExA, SHGetSpecialFolderPathW, ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Norwegian	Norway
Finnish	Finland

Target ID:	0
Start time:	16:00:58
Start date:	24/01/2025
Path:	C:\Users\user\Desktop\FgfPZQyCMj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FgfPZQyCMj.exe"
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	03CAE552E720D61DCA3D4D390E874EC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Ramnit, Description: Ramnit Payload, Source: 00000000.00000002.2041558518.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:00:59
Start date:	24/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 564
Imagebase:	0x160000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FgfPZQyCMj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FgfPZQyCMj.exe_aeb441fe026b54dc7bbcea91c212e4c3f0d182_da7fa28b_910b21c2-7b35-461f-b4d6-fa054dfaede5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF755.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7E2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF851.tmp.xml

C:\Users\user\AppData\Local\Temp\~TMF551.tmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
FgfPZQyCMj.exe