Loading ...

Play interactive tourEdit tour

Analysis Report http___citycapproperty.ru_localmod_nmode.exe

Overview

General Information

Sample Name:http___citycapproperty.ru_localmod_nmode.exe
Analysis ID:399051
MD5:c178795733e8a84f750aff12e49ca3ef
SHA1:af9e5de54778ef903c892f4d0f46e39b7b07c417
SHA256:d73e37b3ed710e4128e3c76e2f0fd61dbb2fdcddfd8cfa51ffe244fa19433bb2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to download HTTP data from a sinkholed server
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • eurbbce (PID: 6392 cmdline: C:\Users\user\AppData\Roaming\eurbbce MD5: C178795733E8A84F750AFF12E49CA3EF)
  • eurbbce (PID: 6364 cmdline: C:\Users\user\AppData\Roaming\eurbbce MD5: C178795733E8A84F750AFF12E49CA3EF)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://autopartswarehouses.ru/", "http://memoloves.ru/", "http://powerglasspot.ru/", "http://smbproperty.ru/", "http://gmbshop.ru/", "http://baksproperty.gov.ug/", "http://magistralpsw.ru/", "http://mpmanagertzz.ru/", "http://alfavanilin.ru/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.342900534.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    0000001A.00000002.495234089.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
      00000000.00000003.235077807.0000000000620000.00000004.00000001.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
        0000001A.00000003.484031694.0000000001F90000.00000004.00000001.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
          00000000.00000002.271809126.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.http___citycapproperty.ru_localmod_nmode.exe.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
              26.2.eurbbce.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                17.2.eurbbce.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                  17.2.eurbbce.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                    0.2.http___citycapproperty.ru_localmod_nmode.exe.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://smbproperty.ru/Avira URL Cloud: Label: phishing
                      Found malware configurationShow sources
                      Source: 00000011.00000002.343548571.00000000020F0000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://autopartswarehouses.ru/", "http://memoloves.ru/", "http://powerglasspot.ru/", "http://smbproperty.ru/", "http://gmbshop.ru/", "http://baksproperty.gov.ug/", "http://magistralpsw.ru/", "http://mpmanagertzz.ru/", "http://alfavanilin.ru/"]}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: alfavanilin.ruVirustotal: Detection: 8%Perma Link
                      Source: smbproperty.ruVirustotal: Detection: 11%Perma Link
                      Source: magistralpsw.ruVirustotal: Detection: 8%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\eurbbceReversingLabs: Detection: 27%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: http___citycapproperty.ru_localmod_nmode.exeVirustotal: Detection: 31%Perma Link
                      Source: http___citycapproperty.ru_localmod_nmode.exeReversingLabs: Detection: 27%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\eurbbceJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: http___citycapproperty.ru_localmod_nmode.exeJoe Sandbox ML: detected
                      Source: http___citycapproperty.ru_localmod_nmode.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 93.170.123.43:443 -> 192.168.2.5:49718 version: TLS 1.2
                      Source: Binary string: C:\ducasilot26\wenuboki\pobimojepig\wohemeligowub_laluw.pdb source: http___citycapproperty.ru_localmod_nmode.exe
                      Source: Binary string: GC:\ducasilot26\wenuboki\pobimojepig\wohemeligowub_laluw.pdbibecoki.pdb source: http___citycapproperty.ru_localmod_nmode.exe
                      Source: Binary string: wntdll.pdbUGP source: http___citycapproperty.ru_localmod_nmode.exe, 00000000.00000002.272418768.000000006DF21000.00000020.00020000.sdmp, eurbbce, 00000011.00000002.343644828.000000006DFE1000.00000020.00020000.sdmp, eurbbce, 0000001A.00000002.497653342.000000006DFE1000.00000020.00020000.sdmp, 9419.tmp.26.dr
                      Source: Binary string: wntdll.pdb source: http___citycapproperty.ru_localmod_nmode.exe, eurbbce, eurbbce, 0000001A.00000002.497653342.000000006DFE1000.00000020.00020000.sdmp, 9419.tmp.26.dr
                      Source: Binary string: ibecoki.pdb source: http___citycapproperty.ru_localmod_nmode.exe

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 185.14.31.88:80 -> 192.168.2.5:49719
                      Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 185.14.31.88:80 -> 192.168.2.5:49720
                      Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 185.14.31.88:80 -> 192.168.2.5:49721
                      Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 185.14.31.88:80 -> 192.168.2.5:49723
                      Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 185.14.31.88:80 -> 192.168.2.5:49724
                      Tries to download HTTP data from a sinkholed serverShow sources
                      Source: global trafficHTTP traffic detected: HTTP/1.0 404 Not FoundDate: Wed, 28 Apr 2021 08:58:50 GMTServer: Apache/2.4.18 (Ubuntu)X-Sinkhole: Malware sinkholeContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
                      Source: global trafficHTTP traffic detected: HTTP/1.0 404 Not FoundDate: Wed, 28 Apr 2021 08:58:56 GMTServer: Apache/2.4.18 (Ubuntu)X-Sinkhole: Malware sinkholeContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
                      Source: global trafficHTTP traffic detected: HTTP/1.0 404 Not FoundDate: Wed, 28 Apr 2021 08:58:57 GMTServer: Apache/2.4.18 (Ubuntu)X-Sinkhole: Malware sinkholeContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
                      Source: global trafficHTTP traffic detected: HTTP/1.0 404 Not FoundDate: Wed, 28 Apr 2021 08:58:58 GMTServer: Apache/2.4.18 (Ubuntu)X-Sinkhole: Malware sinkholeContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
                      Source: global trafficHTTP traffic detected: HTTP/1.0 404 Not FoundDate: Wed, 28 Apr 2021 08:58:58 GMTServer: Apache/2.4.18 (Ubuntu)X-Sinkhole: Malware sinkholeContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://autopartswarehouses.ru/
                      Source: Malware configuration extractorURLs: http://memoloves.ru/
                      Source: Malware configuration extractorURLs: http://powerglasspot.ru/
                      Source: Malware configuration extractorURLs: http://smbproperty.ru/
                      Source: Malware configuration extractorURLs: http://gmbshop.ru/
                      Source: Malware configuration extractorURLs: http://baksproperty.gov.ug/
                      Source: Malware configuration extractorURLs: http://magistralpsw.ru/
                      Source: Malware configuration extractorURLs: http://mpmanagertzz.ru/
                      Source: Malware configuration extractorURLs: http://alfavanilin.ru/
                      Source: Joe Sandbox ViewIP Address: 93.170.123.43 93.170.123.43
                      Source: Joe Sandbox ViewIP Address: 93.170.123.43 93.170.123.43
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewASN Name: IHOR-ASRU IHOR-ASRU
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smbproperty.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: smbproperty.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmbshop.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: gmbshop.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://magistralpsw.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: magistralpsw.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://powerglasspot.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: powerglasspot.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://autopartswarehouses.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: autopartswarehouses.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://memoloves.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: memoloves.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://alfavanilin.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: alfavanilin.ru
                      Source: unknownDNS traffic detected: queries for: smbproperty.ru
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smbproperty.ru/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: smbproperty.ru
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Apr 2021 08:58:49 GMTServer: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40X-Powered-By: PHP/5.6.40Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: explorer.exe, 00000003.00000000.266147257.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownHTTPS traffic detected: 93.170.123.43:443 -> 192.168.2.5:49718 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 00000011.00000002.342900534.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.495234089.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235077807.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.484031694.0000000001F90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.271809126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.330508330.00000000005B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.http___citycapproperty.ru_localmod_nmode.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.eurbbce.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.eurbbce.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.eurbbce.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.http___citycapproperty.ru_localmod_nmode.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.eurbbce.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.eurbbce.5b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.eurbbce.1f90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.http___citycapproperty.ru_localmod_nmode.exe.620000.0.raw.unpack, type: UNPACKEDPE
                      Source: http___citycapproperty.ru_localmod_nmode.exe, 00000000.00000002.272121823.000000000083A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_00401718 Sleep,NtTerminateProcess,0_2_00401718
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_004012E3 NtAllocateVirtualMemory,0_2_004012E3
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_00401288 NtAllocateVirtualMemory,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401288
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_004016B6 Sleep,NtTerminateProcess,0_2_004016B6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_00402368 NtClose,0_2_00402368
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_00401723 Sleep,NtTerminateProcess,0_2_00401723
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_0040172E Sleep,NtTerminateProcess,0_2_0040172E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89780 ZwMapViewOfSection,LdrInitializeThunk,0_2_6DF89780
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89660 ZwAllocateVirtualMemory,LdrInitializeThunk,0_2_6DF89660
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89600 ZwOpenKey,LdrInitializeThunk,0_2_6DF89600
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF899A0 ZwCreateSection,LdrInitializeThunk,0_2_6DF899A0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF898C0 ZwDuplicateObject,LdrInitializeThunk,0_2_6DF898C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89860 ZwQuerySystemInformation,LdrInitializeThunk,0_2_6DF89860
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89820 ZwEnumerateKey,LdrInitializeThunk,0_2_6DF89820
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF495F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads,0_2_6DF495F0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,0_2_6DFFBDFA
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF895F0 ZwQueryInformationFile,0_2_6DF895F0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89DE0 ZwAssociateWaitCompletionPacket,0_2_6DF89DE0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E013E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,0_2_6E013E22
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF445D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,0_2_6DF445D0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF895D0 ZwClose,0_2_6DF895D0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DFFFDD3
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6EDC4 ZwCancelWaitCompletionPacket,0_2_6DF6EDC4
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF44DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation,0_2_6DF44DC0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF895C0 ZwSetEvent,0_2_6DF895C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF895B0 ZwSetInformationThread,0_2_6DF895B0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89DB0 ZwAlpcSetInformation,0_2_6DF89DB0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF465A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,0_2_6DF465A0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89DA0 ZwAlpcSendWaitReceivePort,0_2_6DF89DA0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF43591 ZwSetInformationFile,0_2_6DF43591
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF5DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,0_2_6DF5DD80
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89D70 ZwAlpcQueryInformation,0_2_6DF89D70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,0_2_6DFD1570
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1D6A ZwWaitForMultipleObjects,0_2_6DFD1D6A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E013EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6E013EBC
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1D43 ZwQueryInformationThread,0_2_6DFD1D43
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF74D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,0_2_6DF74D3B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018ED6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF71520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DF71520
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89520 ZwWaitForSingleObject,0_2_6DF89520
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFFD22 ZwQueryInformationProcess,RtlUniform,0_2_6DFFFD22
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1D0B ZwSetInformationProcess,0_2_6DFD1D0B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,0_2_6DFF64FB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,0_2_6DF4F4E3
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1CE4 ZwQueryInformationProcess,0_2_6DFD1CE4
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42CDB RtlFreeHeap,ZwClose,ZwSetEvent,0_2_6DF42CDB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7CCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,0_2_6DF7CCC0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018F6A RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018F6A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFC3C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,0_2_6DFC3C93
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A480 ZwInitializeNlsFiles,0_2_6DF8A480
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89C70 ZwAlpcConnectPort,0_2_6DF89C70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF85C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,0_2_6DF85C70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1C76 ZwQueryInformationProcess,0_2_6DFD1C76
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,0_2_6DF7AC7B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,0_2_6DF6746D
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,0_2_6DFF3C60
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF45450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,0_2_6DF45450
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1C49 ZwQueryInformationProcess,0_2_6DFD1C49
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89C40 ZwAllocateVirtualMemoryEx,0_2_6DF89C40
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6FC39 ZwAssociateWaitCompletionPacket,0_2_6DF6FC39
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A420 ZwGetNlsSectionPtr,0_2_6DF8A420
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF80413 ZwUnmapViewOfSection,0_2_6DF80413
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF50FFD RtlInitUnicodeString,ZwQueryValueKey,0_2_6DF50FFD
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD0FEC ZwDuplicateObject,ZwDuplicateObject,0_2_6DFD0FEC
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E001411 ZwTraceEvent,0_2_6E001411
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018C14 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018C14
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF737EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,0_2_6DF737EB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,0_2_6DF7DFDF
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AFD0 ZwShutdownWorkerFactory,0_2_6DF8AFD0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister,0_2_6DF4F7C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF897C0 ZwTerminateProcess,0_2_6DF897C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7D7CA RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection,0_2_6DF7D7CA
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DF42FB0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF897A0 ZwUnmapViewOfSection,0_2_6DF897A0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF83FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,0_2_6DF83FA0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7FF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString,0_2_6DF7FF9C
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018C75 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018C75
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF5F87 ZwUnmapViewOfSection,0_2_6DFF5F87
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD5780 DbgPrompt,ZwWow64DebuggerCall,0_2_6DFD5780
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89F70 ZwCreateIoCompletion,0_2_6DF89F70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89770 ZwSetInformationFile,0_2_6DF89770
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,0_2_6DFFCF70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose,0_2_6DFD176C
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF46F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap,0_2_6DF46F60
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E004496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,0_2_6E004496
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AF60 ZwSetTimer2,0_2_6DF8AF60
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7CF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,0_2_6DF7CF6A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD5F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose,0_2_6DFD5F5F
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89750 ZwQueryInformationThread,0_2_6DF89750
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E014CAB ZwTraceControl,0_2_6E014CAB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF80F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,0_2_6DF80F48
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E019CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E019CB3
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89740 ZwOpenThreadToken,0_2_6DF89740
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,0_2_6DF7174B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,0_2_6DF7E730
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89730 ZwQueryVirtualMemory,0_2_6DF89730
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFCF30 ZwAlertThreadByThreadId,0_2_6DFFCF30
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018CD6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89710 ZwQueryInformationToken,0_2_6DF89710
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD6715 memset,memcpy,ZwTraceEvent,0_2_6DFD6715
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF79702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,0_2_6DF79702
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E0014FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E0014FB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,0_2_6DF4B6F0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD16FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,0_2_6DFD16FA
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF9DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,0_2_6DF9DEF0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF576FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose,0_2_6DF576FE
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6E6F9 ZwAlpcSetInformation,0_2_6DF6E6F9
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF896E0 ZwFreeVirtualMemory,0_2_6DF896E0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF466D4 RtlInitUnicodeString,ZwQueryValueKey,0_2_6DF466D4
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF79ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,0_2_6DF79ED0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF896D0 ZwCreateKey,0_2_6DF896D0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,0_2_6DF42ED8
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018D34 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018D34
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF896C0 ZwSetInformationProcess,0_2_6DF896C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket,0_2_6DF6E6B0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E011D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence,0_2_6E011D55
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD2EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DFD2EA3
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E006D61 ZwAllocateVirtualMemoryEx,0_2_6E006D61
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,0_2_6DFFBE9B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,0_2_6DF7DE9E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42E9F ZwCreateEvent,ZwClose,0_2_6DF42E9F
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF43E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DF43E80
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E00B581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E00B581
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E001582 ZwTraceEvent,0_2_6E001582
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8967A NtQueryInformationProcess,0_2_6DF8967A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AE70 ZwSetInformationWorkerFactory,0_2_6DF8AE70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89670 ZwQueryInformationProcess,0_2_6DF89670
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction,0_2_6DF7BE62
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B650 RtlUnhandledExceptionFilter,ZwTerminateProcess,0_2_6DF8B650
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89650 ZwQueryValueKey,0_2_6DF89650
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD6652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,0_2_6DFD6652
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B640 RtlUnhandledExceptionFilter,ZwTerminateProcess,0_2_6DF8B640
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFFFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DFFFE3F
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4B630 ZwWaitForKeyedEvent,0_2_6DF4B630
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89E30 ZwCancelWaitCompletionPacket,0_2_6DF89E30
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89E20 ZwCancelTimer2,0_2_6DF89E20
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD2E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6DFD2E14
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,0_2_6DF4C600
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,0_2_6E018214
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD19C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,0_2_6DFD19C8
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFC51BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,0_2_6DFC51BE
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A9B0 ZwQueryLicenseValue,0_2_6DF8A9B0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7C9BF DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap,0_2_6DF7C9BF
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B1A0 ZwWaitForKeyedEvent,0_2_6DF8B1A0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018A62 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018A62
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89990 ZwQueryVolumeInformationFile,0_2_6DF89990
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,0_2_6DF4519E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,0_2_6DF6C182
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B180 ZwWaitForAlertByThreadId,0_2_6DF8B180
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89980 ZwCreateEvent,0_2_6DF89980
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF6186 ZwQueryValueKey,memmove,RtlInitUnicodeString,0_2_6DFF6186
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7D976 ZwCreateFile,ZwCreateFile,0_2_6DF7D976
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,0_2_6DF4B171
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1976 ZwCreateEvent,0_2_6DFD1976
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B160 ZwUpdateWnfStateData,0_2_6DF8B160
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A160 ZwCreateWorkerFactory,0_2_6DF8A160
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey,0_2_6DF4F150
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B150 ZwUnsubscribeWnfStateChange,0_2_6DF8B150
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,0_2_6DF4395E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2,0_2_6DF6B944
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD193B ZwRaiseException,ZwTerminateProcess,0_2_6DFD193B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A130 ZwCreateWaitCompletionPacket,0_2_6DF8A130
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89920 ZwDuplicateToken,0_2_6DF89920
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018ADD RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018ADD
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF49100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,0_2_6DF49100
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF50100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,0_2_6DF50100
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89900 ZwOpenEvent,0_2_6DF89900
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFE5100 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,0_2_6DFE5100
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory,0_2_6DF4B8F0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF440FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,0_2_6DF440FD
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF60E9 ZwOpenKey,ZwClose,ZwClose,0_2_6DFF60E9
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E00131B RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E00131B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF898D0 ZwQueryAttributesFile,0_2_6DF898D0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A0D0 ZwCreateTimer2,0_2_6DF8A0D0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF810D7 ZwOpenKey,ZwCreateKey,0_2_6DF810D7
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF470C0 ZwClose,RtlFreeHeap,RtlFreeHeap,0_2_6DF470C0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF800C2 ZwAlertThreadByThreadId,0_2_6DF800C2
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap,0_2_6DF7F0BF
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B0B0 ZwTraceControl,0_2_6DF8B0B0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF718B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,0_2_6DF718B9
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6F0AE ZwSetInformationWorkerFactory,0_2_6DF6F0AE
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018B58 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018B58
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF60A2 ZwQueryInformationFile,0_2_6DFF60A2
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,0_2_6DF6E090
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A890 ZwQueryDebugFilterState,0_2_6DF8A890
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89890 ZwFsControlFile,0_2_6DF89890
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8108B ZwClose,0_2_6DF8108B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF43880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,0_2_6DF43880
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection,0_2_6DF7A080
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1879 ZwAllocateVirtualMemory,memset,RtlInitializeSid,0_2_6DFD1879
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E00138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E00138A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF5106F ZwOpenKey,ZwClose,0_2_6DF5106F
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF45050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,0_2_6DF45050
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E001BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E001BA8
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89850 ZwQueryDirectoryFile,0_2_6DF89850
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018BB6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89840 ZwDelayExecution,0_2_6DF89840
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E019BBE RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E019BBE
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89830 ZwOpenFile,0_2_6DF89830
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF74020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,0_2_6DF74020
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,0_2_6DF4F018
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF423F6 ZwClose,RtlFreeHeap,0_2_6DF423F6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89BF0 ZwAlertThreadByThreadId,0_2_6DF89BF0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF5A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,0_2_6DF5A3E0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E01F019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,0_2_6E01F019
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,0_2_6DF42BC2
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8A3A0 ZwGetCompleteWnfStateSubscription,0_2_6DF8A3A0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018858 ZwAlertThreadByThreadId,0_2_6E018858
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF74BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,0_2_6DF74BAD
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,0_2_6DF42B93
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7939F RtlInitializeCriticalSectionEx,ZwDelayExecution,0_2_6DF7939F
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AB70 ZwReleaseWorkerFactoryWorker,0_2_6DF8AB70
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF42B7E ZwSetInformationThread,ZwClose,0_2_6DF42B7E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF73B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,0_2_6DF73B7A
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD8372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,0_2_6DFD8372
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFF6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,0_2_6DFF6369
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AB60 ZwReleaseKeyedEvent,0_2_6DF8AB60
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD6365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy,0_2_6DFD6365
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF73B48 ZwClose,ZwClose,0_2_6DF73B48
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF49335 ZwClose,ZwClose,0_2_6DF49335
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF75306 ZwReleaseKeyedEvent,0_2_6DF75306
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF44B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory,0_2_6DF44B00
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89B00 ZwSetValueKey,0_2_6DF89B00
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89AE0 ZwTraceEvent,0_2_6DF89AE0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AAE0 ZwRaiseException,0_2_6DF8AAE0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess,0_2_6DF6FAD0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1AD6 ZwFreeVirtualMemory,0_2_6DFD1AD6
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AAC0 ZwQueryWnfStateNameInformation,0_2_6DF8AAC0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E01F13B ZwOpenKey,ZwCreateKey,0_2_6E01F13B
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89AB0 ZwWaitForMultipleObjects,0_2_6DF89AB0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7E2BB ZwWaitForAlertByThreadId,0_2_6DF7E2BB
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF41AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,0_2_6DF41AA0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF75AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads,0_2_6DF75AA0
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,0_2_6DF7D294
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E018966 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E018966
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8AA90 ZwQuerySystemInformationEx,0_2_6DF8AA90
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF4429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,0_2_6DF4429E
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF62280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,0_2_6DF62280
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF8B280 ZwWow64DebuggerCall,0_2_6DF8B280
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7DA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap,0_2_6DF7DA88
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E00A189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,0_2_6E00A189
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E0049A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,0_2_6E0049A4
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89A50 ZwCreateFile,0_2_6DF89A50
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF49240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,0_2_6DF49240
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E01F1B5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,0_2_6E01F1B5
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD1242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,0_2_6DFD1242
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF7B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,0_2_6DF7B230
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89A30 ZwTerminateThread,0_2_6DF89A30
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF48239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,0_2_6DF48239
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF44A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,0_2_6DF44A20
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DFD4A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,0_2_6DFD4A28
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF6A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,0_2_6DF6A229
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF45210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,0_2_6DF45210
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6E0189E7 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_6E0189E7
                      Source: C:\Users\user\Desktop\http___citycapproperty.ru_localmod_nmode.exeCode function: 0_2_6DF89A00 ZwProtectVirtualMemory,0_2_6DF89A00
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_00401718 Sleep,NtTerminateProcess,17_2_00401718
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_004012E3 NtAllocateVirtualMemory,17_2_004012E3
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_00401288 NtAllocateVirtualMemory,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,17_2_00401288
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_004016B6 Sleep,NtTerminateProcess,17_2_004016B6
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_00402368 NtClose,17_2_00402368
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_00401723 Sleep,NtTerminateProcess,17_2_00401723
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_0040172E Sleep,NtTerminateProcess,17_2_0040172E
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049600 ZwOpenKey,LdrInitializeThunk,17_2_6E049600
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049660 ZwAllocateVirtualMemory,LdrInitializeThunk,17_2_6E049660
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049780 ZwMapViewOfSection,LdrInitializeThunk,17_2_6E049780
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049820 ZwEnumerateKey,LdrInitializeThunk,17_2_6E049820
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049860 ZwQuerySystemInformation,LdrInitializeThunk,17_2_6E049860
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E0498C0 ZwDuplicateObject,LdrInitializeThunk,17_2_6E0498C0
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E0499A0 ZwCreateSection,LdrInitializeThunk,17_2_6E0499A0
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E00C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,17_2_6E00C600
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E092E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,17_2_6E092E14
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049E20 ZwCancelTimer2,17_2_6E049E20
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E0D3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,17_2_6E0D3E22
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E00B630 ZwWaitForKeyedEvent,17_2_6E00B630
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E0BFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,17_2_6E0BFE3F
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049E30 ZwCancelWaitCompletionPacket,17_2_6E049E30
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E04B640 RtlUnhandledExceptionFilter,ZwTerminateProcess,17_2_6E04B640
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E04B650 RtlUnhandledExceptionFilter,ZwTerminateProcess,17_2_6E04B650
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E049650 ZwQueryValueKey,17_2_6E049650
                      Source: C:\Users\user\AppData\Roaming\eurbbceCode function: 17_2_6E096652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,17_2_6E096652
                      Source: C:\Users\user\AppDat