Loading ...

Play interactive tourEdit tour

Analysis Report PO-Yns-Reksan-SN20.exe

Overview

General Information

Sample Name:PO-Yns-Reksan-SN20.exe
Analysis ID:312705
MD5:11138784b5ec73ce0ee6e539e19f678a
SHA1:2c9c0abc614f4413541b3621a4609903e100838d
SHA256:a9ceb4e1673b890902e95949f7a01a7dbe69a82cf2891f6bc18ce26cf6d94cf9
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO-Yns-Reksan-SN20.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe' MD5: 11138784B5EC73CE0EE6E539E19F678A)
    • PO-Yns-Reksan-SN20.exe (PID: 4596 cmdline: 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe' MD5: 11138784B5EC73CE0EE6E539E19F678A)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 4596JoeSecurity_GenericDropperYara detected Generic DropperJoe Security
      Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 4596JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Click to see the 3 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.binAvira URL Cloud: Label: malware
        Source: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.binAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URLShow sources
        Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
        Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
        Source: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.binVirustotal: Detection: 17%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: PO-Yns-Reksan-SN20.exeVirustotal: Detection: 50%Perma Link
        Source: PO-Yns-Reksan-SN20.exeReversingLabs: Detection: 43%
        Source: PO-Yns-Reksan-SN20.exeVirustotal: Detection: 50%Perma Link
        Source: PO-Yns-Reksan-SN20.exeReversingLabs: Detection: 43%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORY
        Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
        Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
        Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
        Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
        Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://crl.h
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.in
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencryp
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
        Source: explorer.exe, 0000000E.00000002.926551173.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937183428.0000000000847000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.bin
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937231146.000000000088B000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.bin=_
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937183428.0000000000847000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.binA
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://crl.h
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.in
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencryp
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
        Source: explorer.exe, 0000000E.00000002.926551173.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 0000000E.00000000.918833147.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937183428.0000000000847000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.bin
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937231146.000000000088B000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.bin=_
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937183428.0000000000847000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Edog_OhjCiGW61.binA
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_1E3C9660
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_1E3C96E0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9780 NtMapViewOfSection,LdrInitializeThunk,7_2_1E3C9780
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_1E3C9860
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_1E3C9910
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C99A0 NtCreateSection,LdrInitializeThunk,7_2_1E3C99A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9610 NtEnumerateValueKey,7_2_1E3C9610
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9670 NtQueryInformationProcess,7_2_1E3C9670
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9650 NtQueryValueKey,7_2_1E3C9650
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C96D0 NtCreateKey,7_2_1E3C96D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9730 NtQueryVirtualMemory,7_2_1E3C9730
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA710 NtOpenProcessToken,7_2_1E3CA710
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9710 NtQueryInformationToken,7_2_1E3C9710
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA770 NtOpenThread,7_2_1E3CA770
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9770 NtSetInformationFile,7_2_1E3C9770
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9760 NtOpenProcess,7_2_1E3C9760
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C97A0 NtUnmapViewOfSection,7_2_1E3C97A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9FE0 NtCreateMutant,7_2_1E3C9FE0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CAD30 NtSetContextThread,7_2_1E3CAD30
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9520 NtWaitForSingleObject,7_2_1E3C9520
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9560 NtWriteFile,7_2_1E3C9560
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9540 NtReadFile,7_2_1E3C9540
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C95F0 NtQueryInformationFile,7_2_1E3C95F0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C95D0 NtClose,7_2_1E3C95D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A20 NtResumeThread,7_2_1E3C9A20
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A10 NtQuerySection,7_2_1E3C9A10
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A00 NtProtectVirtualMemory,7_2_1E3C9A00
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A50 NtCreateFile,7_2_1E3C9A50
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A80 NtOpenDirectoryObject,7_2_1E3C9A80
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9B00 NtSetValueKey,7_2_1E3C9B00
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA3B0 NtGetContextThread,7_2_1E3CA3B0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9820 NtEnumerateKey,7_2_1E3C9820
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CB040 NtSuspendThread,7_2_1E3CB040
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9840 NtDelayExecution,7_2_1E3C9840
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C98A0 NtWriteVirtualMemory,7_2_1E3C98A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C98F0 NtReadVirtualMemory,7_2_1E3C98F0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9950 NtQueueApcThread,7_2_1E3C9950
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C99D0 NtCreateProcessEx,7_2_1E3C99D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056C5BF NtProtectVirtualMemory,7_2_0056C5BF
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564648 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_00564648
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00566A12 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,7_2_00566A12
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560BDA EnumWindows,NtSetInformationThread,7_2_00560BDA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056107B NtProtectVirtualMemory,7_2_0056107B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056B9FD NtSetInformationThread,7_2_0056B9FD
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056607E NtProtectVirtualMemory,7_2_0056607E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_005660CA NtProtectVirtualMemory,7_2_005660CA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056613A NtProtectVirtualMemory,7_2_0056613A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056A28D NtSetInformationThread,7_2_0056A28D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564517 NtProtectVirtualMemory,7_2_00564517
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056463E RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,7_2_0056463E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_005646B2 NtProtectVirtualMemory,7_2_005646B2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564716 NtProtectVirtualMemory,7_2_00564716
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560CC9 NtSetInformationThread,7_2_00560CC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560D7A NtSetInformationThread,7_2_00560D7A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560D16 NtSetInformationThread,7_2_00560D16
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560DDA NtSetInformationThread,7_2_00560DDA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00562ECC NtSetInformationThread,7_2_00562ECC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00561CF6 NtProtectVirtualMemory,7_2_00561CF6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00561CA1 NtProtectVirtualMemory,7_2_00561CA1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F7A NtProtectVirtualMemory,7_2_00565F7A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F33 NtProtectVirtualMemory,7_2_00565F33
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F28 NtProtectVirtualMemory,7_2_00565F28
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_1E3C9660
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_1E3C96E0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9780 NtMapViewOfSection,LdrInitializeThunk,7_2_1E3C9780
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_1E3C9860
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_1E3C9910
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C99A0 NtCreateSection,LdrInitializeThunk,7_2_1E3C99A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9610 NtEnumerateValueKey,7_2_1E3C9610
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9670 NtQueryInformationProcess,7_2_1E3C9670
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9650 NtQueryValueKey,7_2_1E3C9650
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C96D0 NtCreateKey,7_2_1E3C96D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9730 NtQueryVirtualMemory,7_2_1E3C9730
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA710 NtOpenProcessToken,7_2_1E3CA710
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9710 NtQueryInformationToken,7_2_1E3C9710
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA770 NtOpenThread,7_2_1E3CA770
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9770 NtSetInformationFile,7_2_1E3C9770
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9760 NtOpenProcess,7_2_1E3C9760
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C97A0 NtUnmapViewOfSection,7_2_1E3C97A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9FE0 NtCreateMutant,7_2_1E3C9FE0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CAD30 NtSetContextThread,7_2_1E3CAD30
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9520 NtWaitForSingleObject,7_2_1E3C9520
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9560 NtWriteFile,7_2_1E3C9560
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9540 NtReadFile,7_2_1E3C9540
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C95F0 NtQueryInformationFile,7_2_1E3C95F0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C95D0 NtClose,7_2_1E3C95D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A20 NtResumeThread,7_2_1E3C9A20
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A10 NtQuerySection,7_2_1E3C9A10
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A00 NtProtectVirtualMemory,7_2_1E3C9A00
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A50 NtCreateFile,7_2_1E3C9A50
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9A80 NtOpenDirectoryObject,7_2_1E3C9A80
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9B00 NtSetValueKey,7_2_1E3C9B00
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CA3B0 NtGetContextThread,7_2_1E3CA3B0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9820 NtEnumerateKey,7_2_1E3C9820
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3CB040 NtSuspendThread,7_2_1E3CB040
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9840 NtDelayExecution,7_2_1E3C9840
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C98A0 NtWriteVirtualMemory,7_2_1E3C98A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C98F0 NtReadVirtualMemory,7_2_1E3C98F0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C9950 NtQueueApcThread,7_2_1E3C9950
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C99D0 NtCreateProcessEx,7_2_1E3C99D0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056C5BF NtProtectVirtualMemory,7_2_0056C5BF
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564648 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_00564648
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00566A12 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,7_2_00566A12
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560BDA EnumWindows,NtSetInformationThread,7_2_00560BDA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056107B NtProtectVirtualMemory,7_2_0056107B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056B9FD NtSetInformationThread,7_2_0056B9FD
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056607E NtProtectVirtualMemory,7_2_0056607E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_005660CA NtProtectVirtualMemory,7_2_005660CA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056613A NtProtectVirtualMemory,7_2_0056613A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056A28D NtSetInformationThread,7_2_0056A28D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564517 NtProtectVirtualMemory,7_2_00564517
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056463E RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,7_2_0056463E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_005646B2 NtProtectVirtualMemory,7_2_005646B2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00564716 NtProtectVirtualMemory,7_2_00564716
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560CC9 NtSetInformationThread,7_2_00560CC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560D7A NtSetInformationThread,7_2_00560D7A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560D16 NtSetInformationThread,7_2_00560D16
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00560DDA NtSetInformationThread,7_2_00560DDA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00562ECC NtSetInformationThread,7_2_00562ECC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00561CF6 NtProtectVirtualMemory,7_2_00561CF6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00561CA1 NtProtectVirtualMemory,7_2_00561CA1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F7A NtProtectVirtualMemory,7_2_00565F7A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F33 NtProtectVirtualMemory,7_2_00565F33
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00565F28 NtProtectVirtualMemory,7_2_00565F28
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_004016770_2_00401677
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_004016770_2_00401677
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3A6E307_2_1E3A6E30
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44D6167_2_1E44D616
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E452EF77_2_1E452EF7
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E451FF17_2_1E451FF1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44D4667_2_1E44D466
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39841F7_2_1E39841F
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E451D557_2_1E451D55
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E380D207_2_1E380D20
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E452D077_2_1E452D07
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4525DD7_2_1E4525DD
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B25817_2_1E3B2581
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39D5E07_2_1E39D5E0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4522AE7_2_1E4522AE
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E452B287_2_1E452B28
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BEBB07_2_1E3BEBB0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44DBD27_2_1E44DBD2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4410027_2_1E441002
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B20A07_2_1E3B20A0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39B0907_2_1E39B090
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4528EC7_2_1E4528EC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4520A87_2_1E4520A8
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3A41207_2_1E3A4120
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38F9007_2_1E38F900
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: String function: 1E38B150 appears 35 times
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: String function: 1E38B150 appears 35 times
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774381463.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774779499.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.940995992.000000001E60F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937497850.0000000002530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937488076.0000000002520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000000.773258637.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exeBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774381463.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774779499.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.940995992.000000001E60F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937497850.0000000002530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937488076.0000000002520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000000.773258637.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: PO-Yns-Reksan-SN20.exeBinary or memory string: OriginalFilenameellipsometre.exe vs PO-Yns-Reksan-SN20.exe
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.940604721.000000001E130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0892CCF7B0CAA4C8.TMPJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0892CCF7B0CAA4C8.TMPJump to behavior
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: PO-Yns-Reksan-SN20.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: PO-Yns-Reksan-SN20.exeVirustotal: Detection: 50%
        Source: PO-Yns-Reksan-SN20.exeReversingLabs: Detection: 43%
        Source: PO-Yns-Reksan-SN20.exeVirustotal: Detection: 50%
        Source: PO-Yns-Reksan-SN20.exeReversingLabs: Detection: 43%
        Source: unknownProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe'
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe' Jump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe'
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess created: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe 'C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exe' Jump to behavior
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.909925656.0000000005A00000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.940720012.000000001E360000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: PO-Yns-Reksan-SN20.exe
        Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.909925656.0000000005A00000.00000002.00000001.sdmp
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.909925656.0000000005A00000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.940720012.000000001E360000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: PO-Yns-Reksan-SN20.exe
        Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.909925656.0000000005A00000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 4596, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 6584, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 4596, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO-Yns-Reksan-SN20.exe PID: 6584, type: MEMORY
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00404671 push ecx; iretd 0_2_0040471A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00412623 push eax; ret 0_2_00412662
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00405794 push ebp; retf 0_2_00405796
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E1D4A push eax; iretd 0_2_020E1D65
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00404671 push ecx; iretd 0_2_0040471A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00412623 push eax; ret 0_2_00412662
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_00405794 push ebp; retf 0_2_00405796
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E1D4A push eax; iretd 0_2_020E1D65
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3DD0D1 push ecx; ret 7_2_1E3DD0E4
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00561D4A push eax; iretd 7_2_00561D65
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E2ECC 0_2_020E2ECC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E17A6 0_2_020E17A6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E2ECC 0_2_020E2ECC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E17A6 0_2_020E17A6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056107B NtProtectVirtualMemory,7_2_0056107B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_0056AD76 7_2_0056AD76
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00562ECC NtSetInformationThread,7_2_00562ECC
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 00000000020EAD01 second address: 00000000020EAD01 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F4F883756C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp edx, edx 0x00000021 cmp cl, FFFFFFD0h 0x00000024 add edi, edx 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F4F883756A1h 0x00000035 cmp ebx, 85807CB3h 0x0000003b call 00007F4F88375784h 0x00000040 call 00007F4F883756DAh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: PO-Yns-Reksan-SN20.exe, PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE3K
        Source: PO-Yns-Reksan-SN20.exe, PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE3K
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 00000000020EAD01 second address: 00000000020EAD01 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F4F883756C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp edx, edx 0x00000021 cmp cl, FFFFFFD0h 0x00000024 add edi, edx 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F4F883756A1h 0x00000035 cmp ebx, 85807CB3h 0x0000003b call 00007F4F88375784h 0x00000040 call 00007F4F883756DAh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 00000000020EAD6B second address: 00000000020EAD6B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F4F88C33075h 0x0000001f popad 0x00000020 call 00007F4F88C328B5h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 000000000056AD6B second address: 000000000056AD6B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F4F883760E5h 0x0000001f popad 0x00000020 call 00007F4F88375925h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E206B rdtsc 0_2_020E206B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E206B rdtsc 0_2_020E206B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CAD0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CB72
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CB22
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CBCA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CD76
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CDD2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CE36
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CE8E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CFD2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D08B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D17E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D11A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D1DA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D21E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D3EA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D39A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D436
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D4EA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D496
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D542
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CAD0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CB72
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CB22
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CBCA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CD76
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CDD2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CE36
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CE8E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056CFD2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D08B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D17E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D11A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D1DA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D21E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D3EA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D39A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D436
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D4EA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D496
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: EnumServicesStatusA,7_2_0056D542
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 0000000E.00000000.917678769.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 0000000E.00000000.910292985.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 0000000E.00000000.917678769.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn
        Source: explorer.exe, 0000000E.00000000.907677388.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: explorer.exe, 0000000E.00000000.917792518.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
        Source: PO-Yns-Reksan-SN20.exe, PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe3K
        Source: explorer.exe, 0000000E.00000000.917792518.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 0000000E.00000000.917678769.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 0000000E.00000000.910292985.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 0000000E.00000000.917678769.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: PO-Yns-Reksan-SN20.exe, 00000007.00000002.937243317.000000000089B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn
        Source: explorer.exe, 0000000E.00000000.907677388.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: explorer.exe, 0000000E.00000000.917792518.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
        Source: PO-Yns-Reksan-SN20.exe, PO-Yns-Reksan-SN20.exe, 00000007.00000002.936935688.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: PO-Yns-Reksan-SN20.exe, 00000000.00000002.774611558.00000000006BA000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe3K
        Source: explorer.exe, 0000000E.00000000.917792518.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
        Source: explorer.exe, 0000000E.00000000.909709083.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00566A12 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00560DEC,00000000,00000000,000000007_2_00566A12
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_00566A12 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00560DEC,00000000,00000000,000000007_2_00566A12
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E206B rdtsc 0_2_020E206B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E206B rdtsc 0_2_020E206B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C967A LdrInitializeThunk,7_2_1E3C967A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C967A LdrInitializeThunk,7_2_1E3C967A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E427A mov eax, dword ptr fs:[00000030h]0_2_020E427A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E433E mov eax, dword ptr fs:[00000030h]0_2_020E433E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EA68A mov eax, dword ptr fs:[00000030h]0_2_020EA68A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E334B mov eax, dword ptr fs:[00000030h]0_2_020E334B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E97C7 mov eax, dword ptr fs:[00000030h]0_2_020E97C7
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E5A9B mov eax, dword ptr fs:[00000030h]0_2_020E5A9B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBA96 mov eax, dword ptr fs:[00000030h]0_2_020EBA96
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E5AE2 mov eax, dword ptr fs:[00000030h]0_2_020E5AE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBAF2 mov eax, dword ptr fs:[00000030h]0_2_020EBAF2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBB46 mov eax, dword ptr fs:[00000030h]0_2_020EBB46
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBBBA mov eax, dword ptr fs:[00000030h]0_2_020EBBBA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EB9FD mov eax, dword ptr fs:[00000030h]0_2_020EB9FD
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E3E2E mov eax, dword ptr fs:[00000030h]0_2_020E3E2E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E3DE1 mov eax, dword ptr fs:[00000030h]0_2_020E3DE1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E427A mov eax, dword ptr fs:[00000030h]0_2_020E427A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E433E mov eax, dword ptr fs:[00000030h]0_2_020E433E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EA68A mov eax, dword ptr fs:[00000030h]0_2_020EA68A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E334B mov eax, dword ptr fs:[00000030h]0_2_020E334B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E97C7 mov eax, dword ptr fs:[00000030h]0_2_020E97C7
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E5A9B mov eax, dword ptr fs:[00000030h]0_2_020E5A9B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBA96 mov eax, dword ptr fs:[00000030h]0_2_020EBA96
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E5AE2 mov eax, dword ptr fs:[00000030h]0_2_020E5AE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBAF2 mov eax, dword ptr fs:[00000030h]0_2_020EBAF2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBB46 mov eax, dword ptr fs:[00000030h]0_2_020EBB46
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EBBBA mov eax, dword ptr fs:[00000030h]0_2_020EBBBA
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020EB9FD mov eax, dword ptr fs:[00000030h]0_2_020EB9FD
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E3E2E mov eax, dword ptr fs:[00000030h]0_2_020E3E2E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 0_2_020E3DE1 mov eax, dword ptr fs:[00000030h]0_2_020E3DE1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44AE44 mov eax, dword ptr fs:[00000030h]7_2_1E44AE44
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44AE44 mov eax, dword ptr fs:[00000030h]7_2_1E44AE44
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38E620 mov eax, dword ptr fs:[00000030h]7_2_1E38E620
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BA61C mov eax, dword ptr fs:[00000030h]7_2_1E3BA61C
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BA61C mov eax, dword ptr fs:[00000030h]7_2_1E3BA61C
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38C600 mov eax, dword ptr fs:[00000030h]7_2_1E38C600
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38C600 mov eax, dword ptr fs:[00000030h]7_2_1E38C600
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38C600 mov eax, dword ptr fs:[00000030h]7_2_1E38C600
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B8E00 mov eax, dword ptr fs:[00000030h]7_2_1E3B8E00
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AAE73 mov eax, dword ptr fs:[00000030h]7_2_1E3AAE73
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AAE73 mov eax, dword ptr fs:[00000030h]7_2_1E3AAE73
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AAE73 mov eax, dword ptr fs:[00000030h]7_2_1E3AAE73
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AAE73 mov eax, dword ptr fs:[00000030h]7_2_1E3AAE73
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AAE73 mov eax, dword ptr fs:[00000030h]7_2_1E3AAE73
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441608 mov eax, dword ptr fs:[00000030h]7_2_1E441608
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39766D mov eax, dword ptr fs:[00000030h]7_2_1E39766D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E397E41 mov eax, dword ptr fs:[00000030h]7_2_1E397E41
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E43FE3F mov eax, dword ptr fs:[00000030h]7_2_1E43FE3F
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E43FEC0 mov eax, dword ptr fs:[00000030h]7_2_1E43FEC0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E458ED6 mov eax, dword ptr fs:[00000030h]7_2_1E458ED6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E41FE87 mov eax, dword ptr fs:[00000030h]7_2_1E41FE87
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B16E0 mov ecx, dword ptr fs:[00000030h]7_2_1E3B16E0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3976E2 mov eax, dword ptr fs:[00000030h]7_2_1E3976E2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E450EA5 mov eax, dword ptr fs:[00000030h]7_2_1E450EA5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E450EA5 mov eax, dword ptr fs:[00000030h]7_2_1E450EA5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E450EA5 mov eax, dword ptr fs:[00000030h]7_2_1E450EA5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4046A7 mov eax, dword ptr fs:[00000030h]7_2_1E4046A7
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B36CC mov eax, dword ptr fs:[00000030h]7_2_1E3B36CC
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C8EC7 mov eax, dword ptr fs:[00000030h]7_2_1E3C8EC7
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BE730 mov eax, dword ptr fs:[00000030h]7_2_1E3BE730
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E384F2E mov eax, dword ptr fs:[00000030h]7_2_1E384F2E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E384F2E mov eax, dword ptr fs:[00000030h]7_2_1E384F2E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AF716 mov eax, dword ptr fs:[00000030h]7_2_1E3AF716
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E458F6A mov eax, dword ptr fs:[00000030h]7_2_1E458F6A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BA70E mov eax, dword ptr fs:[00000030h]7_2_1E3BA70E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BA70E mov eax, dword ptr fs:[00000030h]7_2_1E3BA70E
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E45070D mov eax, dword ptr fs:[00000030h]7_2_1E45070D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E45070D mov eax, dword ptr fs:[00000030h]7_2_1E45070D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E41FF10 mov eax, dword ptr fs:[00000030h]7_2_1E41FF10
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E41FF10 mov eax, dword ptr fs:[00000030h]7_2_1E41FF10
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39FF60 mov eax, dword ptr fs:[00000030h]7_2_1E39FF60
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39EF40 mov eax, dword ptr fs:[00000030h]7_2_1E39EF40
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E398794 mov eax, dword ptr fs:[00000030h]7_2_1E398794
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C37F5 mov eax, dword ptr fs:[00000030h]7_2_1E3C37F5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E407794 mov eax, dword ptr fs:[00000030h]7_2_1E407794
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E407794 mov eax, dword ptr fs:[00000030h]7_2_1E407794
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E407794 mov eax, dword ptr fs:[00000030h]7_2_1E407794
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E41C450 mov eax, dword ptr fs:[00000030h]7_2_1E41C450
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E41C450 mov eax, dword ptr fs:[00000030h]7_2_1E41C450
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BBC2C mov eax, dword ptr fs:[00000030h]7_2_1E3BBC2C
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E441C06 mov eax, dword ptr fs:[00000030h]7_2_1E441C06
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E45740D mov eax, dword ptr fs:[00000030h]7_2_1E45740D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E45740D mov eax, dword ptr fs:[00000030h]7_2_1E45740D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E45740D mov eax, dword ptr fs:[00000030h]7_2_1E45740D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406C0A mov eax, dword ptr fs:[00000030h]7_2_1E406C0A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406C0A mov eax, dword ptr fs:[00000030h]7_2_1E406C0A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406C0A mov eax, dword ptr fs:[00000030h]7_2_1E406C0A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406C0A mov eax, dword ptr fs:[00000030h]7_2_1E406C0A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3A746D mov eax, dword ptr fs:[00000030h]7_2_1E3A746D
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BA44B mov eax, dword ptr fs:[00000030h]7_2_1E3BA44B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E458CD6 mov eax, dword ptr fs:[00000030h]7_2_1E458CD6
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39849B mov eax, dword ptr fs:[00000030h]7_2_1E39849B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406CF0 mov eax, dword ptr fs:[00000030h]7_2_1E406CF0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406CF0 mov eax, dword ptr fs:[00000030h]7_2_1E406CF0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406CF0 mov eax, dword ptr fs:[00000030h]7_2_1E406CF0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E4414FB mov eax, dword ptr fs:[00000030h]7_2_1E4414FB
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B4D3B mov eax, dword ptr fs:[00000030h]7_2_1E3B4D3B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B4D3B mov eax, dword ptr fs:[00000030h]7_2_1E3B4D3B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B4D3B mov eax, dword ptr fs:[00000030h]7_2_1E3B4D3B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E403540 mov eax, dword ptr fs:[00000030h]7_2_1E403540
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E38AD30 mov eax, dword ptr fs:[00000030h]7_2_1E38AD30
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E393D34 mov eax, dword ptr fs:[00000030h]7_2_1E393D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AC577 mov eax, dword ptr fs:[00000030h]7_2_1E3AC577
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3AC577 mov eax, dword ptr fs:[00000030h]7_2_1E3AC577
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3A7D50 mov eax, dword ptr fs:[00000030h]7_2_1E3A7D50
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E458D34 mov eax, dword ptr fs:[00000030h]7_2_1E458D34
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E40A537 mov eax, dword ptr fs:[00000030h]7_2_1E40A537
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44E539 mov eax, dword ptr fs:[00000030h]7_2_1E44E539
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3C3D43 mov eax, dword ptr fs:[00000030h]7_2_1E3C3D43
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov eax, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov eax, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov eax, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov ecx, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov eax, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E406DC9 mov eax, dword ptr fs:[00000030h]7_2_1E406DC9
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B1DB5 mov eax, dword ptr fs:[00000030h]7_2_1E3B1DB5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B1DB5 mov eax, dword ptr fs:[00000030h]7_2_1E3B1DB5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B1DB5 mov eax, dword ptr fs:[00000030h]7_2_1E3B1DB5
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B35A1 mov eax, dword ptr fs:[00000030h]7_2_1E3B35A1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BFD9B mov eax, dword ptr fs:[00000030h]7_2_1E3BFD9B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3BFD9B mov eax, dword ptr fs:[00000030h]7_2_1E3BFD9B
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44FDE2 mov eax, dword ptr fs:[00000030h]7_2_1E44FDE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44FDE2 mov eax, dword ptr fs:[00000030h]7_2_1E44FDE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44FDE2 mov eax, dword ptr fs:[00000030h]7_2_1E44FDE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E44FDE2 mov eax, dword ptr fs:[00000030h]7_2_1E44FDE2
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E438DF1 mov eax, dword ptr fs:[00000030h]7_2_1E438DF1
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E382D8A mov eax, dword ptr fs:[00000030h]7_2_1E382D8A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E382D8A mov eax, dword ptr fs:[00000030h]7_2_1E382D8A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E382D8A mov eax, dword ptr fs:[00000030h]7_2_1E382D8A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E382D8A mov eax, dword ptr fs:[00000030h]7_2_1E382D8A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E382D8A mov eax, dword ptr fs:[00000030h]7_2_1E382D8A
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B2581 mov eax, dword ptr fs:[00000030h]7_2_1E3B2581
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B2581 mov eax, dword ptr fs:[00000030h]7_2_1E3B2581
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B2581 mov eax, dword ptr fs:[00000030h]7_2_1E3B2581
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E3B2581 mov eax, dword ptr fs:[00000030h]7_2_1E3B2581
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39D5E0 mov eax, dword ptr fs:[00000030h]7_2_1E39D5E0
        Source: C:\Users\user\Desktop\PO-Yns-Reksan-SN20.exeCode function: 7_2_1E39D5E0 mov eax, dword ptr fs:[00000030h]7_2_1E39D5E0