Windows Analysis Report xax2K3BWhm.exe

Overview

General Information

Sample Name: xax2K3BWhm.exe
Analysis ID: 435322
MD5: e3686e4e0ed04a1fd38bb5060cb2441e
SHA1: 7a6e59e6c01135ab4ec685dc8c6bf7835429c916
SHA256: 1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
Tags: exe
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
DLL reload attack detected
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["https://hewilldoit.xyz/zizi/", "https://hehasdoneit.xyz/zizi/"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ahafdus ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: xax2K3BWhm.exe ReversingLabs: Detection: 44%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ahafdus Joe Sandbox ML: detected
Machine Learning detection for sample
Source: xax2K3BWhm.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: xax2K3BWhm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: xax2K3BWhm.exe, 00000004.00000002.716058267.000000006D7E1000.00000020.00020000.sdmp, ahafdus, 0000000E.00000002.788823862.000000006F4D1000.00000020.00020000.sdmp, BCCB.tmp.4.dr
Source: Binary string: wntdll.pdb source: xax2K3BWhm.exe, ahafdus, BCCB.tmp.4.dr
Source: Binary string: C:\faxeka.pdb source: xax2K3BWhm.exe
Source: Binary string: O7C:\faxeka.pdb`KC@+C source: xax2K3BWhm.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://hewilldoit.xyz/zizi/
Source: Malware configuration extractor URLs: https://hehasdoneit.xyz/zizi/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: hewilldoit.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HSAE HSAE
Source: unknown DNS traffic detected: queries for: hewilldoit.xyz
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.670999978.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_03390110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_03390110
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_004017F6 Sleep,NtTerminateProcess, 4_2_004017F6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_00401801 Sleep,NtTerminateProcess, 4_2_00401801
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_0040180F Sleep,NtTerminateProcess, 4_2_0040180F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_00401813 Sleep,NtTerminateProcess, 4_2_00401813
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_00401820 Sleep,NtTerminateProcess, 4_2_00401820
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_004017CF Sleep,NtTerminateProcess, 4_2_004017CF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849780 ZwMapViewOfSection,LdrInitializeThunk, 4_2_6D849780
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849600 ZwOpenKey,LdrInitializeThunk, 4_2_6D849600
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849660 ZwAllocateVirtualMemory,LdrInitializeThunk, 4_2_6D849660
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84967A NtQueryInformationProcess,LdrInitializeThunk, 4_2_6D84967A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8499A0 ZwCreateSection,LdrInitializeThunk, 4_2_6D8499A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8498C0 ZwDuplicateObject,LdrInitializeThunk, 4_2_6D8498C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849820 ZwEnumerateKey,LdrInitializeThunk, 4_2_6D849820
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849860 ZwQuerySystemInformation,LdrInitializeThunk, 4_2_6D849860
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 4_2_6D81DD80
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1582 ZwTraceEvent, 4_2_6D8C1582
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803591 ZwSetInformationFile, 4_2_6D803591
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 4_2_6D8065A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849DA0 ZwAlpcSendWaitReceivePort, 4_2_6D849DA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8495B0 ZwSetInformationThread, 4_2_6D8495B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849DB0 ZwAlpcSetInformation, 4_2_6D849DB0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 4_2_6D804DC0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8495C0 ZwSetEvent, 4_2_6D8495C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82EDC4 ZwCancelWaitCompletionPacket, 4_2_6D82EDC4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8045D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 4_2_6D8045D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8495D0 ZwClose, 4_2_6D8495D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849DE0 ZwAssociateWaitCompletionPacket, 4_2_6D849DE0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8095F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 4_2_6D8095F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 4_2_6D8BBDFA
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8495F0 ZwQueryInformationFile, 4_2_6D8495F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891D0B ZwSetInformationProcess, 4_2_6D891D0B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AD10 ZwSetCachedSigningLevel, 4_2_6D84AD10
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849520 ZwWaitForSingleObject, 4_2_6D849520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BFD22 ZwQueryInformationProcess,RtlUniform, 4_2_6D8BFD22
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 4_2_6D834D3B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8D34
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883540 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess, 4_2_6D883540
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891D43 ZwQueryInformationThread, 4_2_6D891D43
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D830548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory, 4_2_6D830548
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891D6A ZwWaitForMultipleObjects, 4_2_6D891D6A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C6D61 ZwAllocateVirtualMemoryEx, 4_2_6D8C6D61
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849D70 ZwAlpcQueryInformation, 4_2_6D849D70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 4_2_6D891570
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A480 ZwInitializeNlsFiles, 4_2_6D84A480
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 4_2_6D883C93
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D840CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken, 4_2_6D840CA1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D4CAB ZwTraceControl, 4_2_6D8D4CAB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802CDB RtlFreeHeap,ZwClose,ZwSetEvent, 4_2_6D802CDB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8CD6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 4_2_6D80F4E3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891CE4 ZwQueryInformationProcess, 4_2_6D891CE4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 4_2_6D8B64FB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8C14FB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D840413 ZwUnmapViewOfSection, 4_2_6D840413
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8C14
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1411 ZwTraceEvent, 4_2_6D8C1411
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A420 ZwGetNlsSectionPtr, 4_2_6D84A420
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82FC39 ZwAssociateWaitCompletionPacket, 4_2_6D82FC39
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891C49 ZwQueryInformationProcess, 4_2_6D891C49
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849C40 ZwAllocateVirtualMemoryEx, 4_2_6D849C40
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 4_2_6D805450
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89C450 RtlReleasePrivilege,ZwAdjustPrivilegesToken,ZwSetInformationThread,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap, 4_2_6D89C450
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 4_2_6D8B3C60
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 4_2_6D82746D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849C70 ZwAlpcConnectPort, 4_2_6D849C70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D845C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 4_2_6D845C70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8C75
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891C76 ZwQueryInformationProcess, 4_2_6D891C76
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B5F87 ZwUnmapViewOfSection, 4_2_6D8B5F87
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D843FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 4_2_6D843FA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D88A7AC ZwCompareSigningLevels,ZwCompareSigningLevels, 4_2_6D88A7AC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8497A0 ZwUnmapViewOfSection, 4_2_6D8497A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80A7B0 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx, 4_2_6D80A7B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 4_2_6D80F7C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8497C0 ZwTerminateProcess, 4_2_6D8497C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AFD0 ZwShutdownWorkerFactory, 4_2_6D84AFD0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89E7D3 ZwOpenThreadTokenEx,ZwOpenThreadTokenEx, 4_2_6D89E7D3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 4_2_6D83DFDF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D890FEC ZwDuplicateObject,ZwDuplicateObject, 4_2_6D890FEC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8497F0 ZwOpenThreadTokenEx, 4_2_6D8497F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D810FFD RtlInitUnicodeString,ZwQueryValueKey, 4_2_6D810FFD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849710 ZwQueryInformationToken, 4_2_6D849710
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 4_2_6D83E730
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849730 ZwQueryVirtualMemory, 4_2_6D849730
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BCF30 ZwAlertThreadByThreadId, 4_2_6D8BCF30
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849740 ZwOpenThreadToken, 4_2_6D849740
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 4_2_6D83174B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D840F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 4_2_6D840F48
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D88A746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel, 4_2_6D88A746
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849750 ZwQueryInformationThread, 4_2_6D849750
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AF60 ZwSetTimer2, 4_2_6D84AF60
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 4_2_6D89176C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8F6A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849F70 ZwCreateIoCompletion, 4_2_6D849F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849770 ZwSetInformationFile, 4_2_6D849770
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 4_2_6D8BCF70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D803E80
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 4_2_6D8BBE9B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A690 ZwOpenKeyEx, 4_2_6D84A690
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 4_2_6D83DE9E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802E9F ZwCreateEvent,ZwClose, 4_2_6D802E9F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849EA0 ZwCompareSigningLevels, 4_2_6D849EA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D892EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D892EA3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 4_2_6D8D3EBC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8496C0 ZwSetInformationProcess, 4_2_6D8496C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D839ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 4_2_6D839ED0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8496D0 ZwCreateKey, 4_2_6D8496D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8066D4 RtlInitUnicodeString,ZwQueryValueKey, 4_2_6D8066D4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D88A6DE ZwRaiseHardError, 4_2_6D88A6DE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 4_2_6D802ED8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8ED6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8496E0 ZwFreeVirtualMemory, 4_2_6D8496E0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 4_2_6D80B6F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8916FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 4_2_6D8916FA
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D85DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 4_2_6D85DEF0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82E6F9 ZwAlpcSetInformation, 4_2_6D82E6F9
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 4_2_6D80C600
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D842E1C RtlInitializeCriticalSectionEx,ZwDelayExecution, 4_2_6D842E1C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D892E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D892E14
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849E20 ZwCancelTimer2, 4_2_6D849E20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 4_2_6D8D3E22
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B630 ZwWaitForKeyedEvent, 4_2_6D80B630
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8BFE3F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849E30 ZwCancelWaitCompletionPacket, 4_2_6D849E30
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 4_2_6D84B640
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 4_2_6D84B650
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849650 ZwQueryValueKey, 4_2_6D849650
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 4_2_6D83BE62
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AE70 ZwSetInformationWorkerFactory, 4_2_6D84AE70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849670 ZwQueryInformationProcess, 4_2_6D849670
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 4_2_6D82C182
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B180 ZwWaitForAlertByThreadId, 4_2_6D84B180
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849980 ZwCreateEvent, 4_2_6D849980
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8CA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 4_2_6D8CA189
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849990 ZwQueryVolumeInformationFile, 4_2_6D849990
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 4_2_6D80519E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B1A0 ZwWaitForKeyedEvent, 4_2_6D84B1A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 4_2_6D8C49A4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A9B0 ZwQueryLicenseValue, 4_2_6D84A9B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8319B8 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwWaitForSingleObject,RtlQueryInformationActiveActivationContext,RtlQueryInformationActivationContext, 4_2_6D8319B8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8919C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 4_2_6D8919C8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D89E7
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 4_2_6D809100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D810100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 4_2_6D810100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849900 ZwOpenEvent, 4_2_6D849900
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849910 ZwAdjustPrivilegesToken, 4_2_6D849910
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849920 ZwDuplicateToken, 4_2_6D849920
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89193B ZwRaiseException,ZwTerminateProcess, 4_2_6D89193B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A130 ZwCreateWaitCompletionPacket, 4_2_6D84A130
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8DF13B ZwOpenKey,ZwCreateKey, 4_2_6D8DF13B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 4_2_6D82B944
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B150 ZwUnsubscribeWnfStateChange, 4_2_6D84B150
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 4_2_6D80395E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B160 ZwUpdateWnfStateData, 4_2_6D84B160
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A160 ZwCreateWorkerFactory, 4_2_6D84A160
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8966
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 4_2_6D80B171
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883971 ZwOpenKeyEx, 4_2_6D883971
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891976 ZwCreateEvent, 4_2_6D891976
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 4_2_6D803880
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883884 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap, 4_2_6D883884
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84108B ZwClose, 4_2_6D84108B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 4_2_6D82E090
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A890 ZwQueryDebugFilterState, 4_2_6D84A890
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849890 ZwFsControlFile, 4_2_6D849890
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B60A2 ZwQueryInformationFile, 4_2_6D8B60A2
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82F0AE ZwSetInformationWorkerFactory, 4_2_6D82F0AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B0B0 ZwTraceControl, 4_2_6D84B0B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8318B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 4_2_6D8318B9
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 4_2_6D83F0BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8070C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 4_2_6D8070C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8400C2 ZwAlertThreadByThreadId, 4_2_6D8400C2
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8410D7 ZwOpenKey,ZwCreateKey, 4_2_6D8410D7
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A0D0 ZwCreateTimer2, 4_2_6D84A0D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8498D0 ZwQueryAttributesFile, 4_2_6D8498D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap, 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 4_2_6D80B8F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8180FC RtlEqualUnicodeString,ZwMapViewOfSection,ZwUnmapViewOfSection,LdrQueryImageFileKeyOption,RtlAcquirePrivilege,RtlReleasePrivilege, 4_2_6D8180FC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8040FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 4_2_6D8040FD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849800 ZwOpenProcessTokenEx, 4_2_6D849800
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8DF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 4_2_6D8DF019
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 4_2_6D80F018
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 4_2_6D834020
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849830 ZwOpenFile, 4_2_6D849830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849840 ZwDelayExecution, 4_2_6D849840
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 4_2_6D805050
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8858 ZwAlertThreadByThreadId, 4_2_6D8D8858
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81106F ZwOpenKey,ZwClose, 4_2_6D81106F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 4_2_6D891879
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8C138A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 4_2_6D802B93
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A390 ZwGetCachedSigningLevel, 4_2_6D84A390
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 4_2_6D83939F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84A3A0 ZwGetCompleteWnfStateSubscription, 4_2_6D84A3A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8C1BA8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 4_2_6D834BAD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D9BBE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8BB6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 4_2_6D802BC2
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849BF0 ZwAlertThreadByThreadId, 4_2_6D849BF0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8023F6 ZwClose,RtlFreeHeap, 4_2_6D8023F6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 4_2_6D804B00
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849B00 ZwSetValueKey, 4_2_6D849B00
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D835306 ZwReleaseKeyedEvent, 4_2_6D835306
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8C131B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809335 ZwClose,ZwClose, 4_2_6D809335
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B48 ZwClose,ZwClose, 4_2_6D833B48
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 4_2_6D8D8B58
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 4_2_6D8B6369
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AB60 ZwReleaseKeyedEvent, 4_2_6D84AB60
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D816B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor, 4_2_6D816B6B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D887365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException, 4_2_6D887365
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 4_2_6D833B7A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D898372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 4_2_6D898372
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802B7E ZwSetInformationThread,ZwClose, 4_2_6D802B7E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D822280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 4_2_6D822280
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84B280 ZwWow64DebuggerCall, 4_2_6D84B280
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AA90 ZwQuerySystemInformationEx, 4_2_6D84AA90
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 4_2_6D83D294
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 4_2_6D80429E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D801AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 4_2_6D801AA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D835AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 4_2_6D835AA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849AB0 ZwWaitForMultipleObjects, 4_2_6D849AB0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83E2BB ZwWaitForAlertByThreadId, 4_2_6D83E2BB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AAC0 ZwQueryWnfStateNameInformation, 4_2_6D84AAC0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 4_2_6D82FAD0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891AD6 ZwFreeVirtualMemory, 4_2_6D891AD6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849AE0 ZwTraceEvent, 4_2_6D849AE0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AAE0 ZwRaiseException, 4_2_6D84AAE0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AAF0 ZwRaiseHardError, 4_2_6D84AAF0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849A00 ZwProtectVirtualMemory, 4_2_6D849A00
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 4_2_6D805210
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 4_2_6D8D8214
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 4_2_6D804A20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84AA20 ZwQuerySecurityAttributesToken, 4_2_6D84AA20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 4_2_6D83B230
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D808239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 4_2_6D808239
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 4_2_6D809240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D891242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 4_2_6D891242
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_004017F6 Sleep,NtTerminateProcess, 14_2_004017F6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_00401801 Sleep,NtTerminateProcess, 14_2_00401801
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_0040180F Sleep,NtTerminateProcess, 14_2_0040180F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_00401813 Sleep,NtTerminateProcess, 14_2_00401813
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_00401820 Sleep,NtTerminateProcess, 14_2_00401820
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_004017CF Sleep,NtTerminateProcess, 14_2_004017CF
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539780 ZwMapViewOfSection,LdrInitializeThunk, 14_2_6F539780
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53967A NtQueryInformationProcess,LdrInitializeThunk, 14_2_6F53967A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539660 ZwAllocateVirtualMemory,LdrInitializeThunk, 14_2_6F539660
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539600 ZwOpenKey,LdrInitializeThunk, 14_2_6F539600
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5399A0 ZwCreateSection,LdrInitializeThunk, 14_2_6F5399A0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539860 ZwQuerySystemInformation,LdrInitializeThunk, 14_2_6F539860
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539820 ZwEnumerateKey,LdrInitializeThunk, 14_2_6F539820
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5398C0 ZwDuplicateObject,LdrInitializeThunk, 14_2_6F5398C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539750 ZwQueryInformationThread, 14_2_6F539750
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539740 ZwOpenThreadToken, 14_2_6F539740
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 14_2_6F52174B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F530F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 14_2_6F530F48
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539F70 ZwCreateIoCompletion, 14_2_6F539F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539770 ZwSetInformationFile, 14_2_6F539770
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5ACF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 14_2_6F5ACF70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap, 14_2_6F4F6F60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AF60 ZwSetTimer2, 14_2_6F53AF60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F58176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 14_2_6F58176C
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8F6A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539710 ZwQueryInformationToken, 14_2_6F539710
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F586715 memset,memcpy,ZwTraceEvent, 14_2_6F586715
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F529702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 14_2_6F529702
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 14_2_6F52E730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539730 ZwQueryVirtualMemory, 14_2_6F539730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5ACF30 ZwAlertThreadByThreadId, 14_2_6F5ACF30
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AFD0 ZwShutdownWorkerFactory, 14_2_6F53AFD0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 14_2_6F52DFDF
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FF7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 14_2_6F4FF7C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5397C0 ZwTerminateProcess, 14_2_6F5397C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F500FFD RtlInitUnicodeString,ZwQueryValueKey, 14_2_6F500FFD
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F580FEC ZwDuplicateObject,ZwDuplicateObject, 14_2_6F580FEC
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A5F87 ZwUnmapViewOfSection, 14_2_6F5A5F87
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5397A0 ZwUnmapViewOfSection, 14_2_6F5397A0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F533FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 14_2_6F533FA0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 14_2_6F53B650
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539650 ZwQueryValueKey, 14_2_6F539650
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F586652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection, 14_2_6F586652
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 14_2_6F53B640
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AE70 ZwSetInformationWorkerFactory, 14_2_6F53AE70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539670 ZwQueryInformationProcess, 14_2_6F539670
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 14_2_6F52BE62
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F582E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F582E14
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FC600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 14_2_6F4FC600
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539E30 ZwCancelWaitCompletionPacket, 14_2_6F539E30
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5AFE3F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539E20 ZwCancelTimer2, 14_2_6F539E20
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 14_2_6F5C3E22
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FB630 ZwWaitForKeyedEvent, 14_2_6F4FB630
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F529ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 14_2_6F529ED0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5396D0 ZwCreateKey, 14_2_6F5396D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8ED6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5396C0 ZwSetInformationProcess, 14_2_6F5396C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 14_2_6F4F2ED8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F66D4 RtlInitUnicodeString,ZwQueryValueKey, 14_2_6F4F66D4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5816FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 14_2_6F5816FA
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F54DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 14_2_6F54DEF0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51E6F9 ZwAlpcSetInformation, 14_2_6F51E6F9
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5396E0 ZwFreeVirtualMemory, 14_2_6F5396E0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FB6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 14_2_6F4FB6F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5ABE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 14_2_6F5ABE9B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 14_2_6F52DE9E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F4F3E80
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2E9F ZwCreateEvent,ZwClose, 14_2_6F4F2E9F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 14_2_6F5C3EBC
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 14_2_6F51E6B0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F582EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F582EA3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C1D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence, 14_2_6F5C1D55
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581D43 ZwQueryInformationThread, 14_2_6F581D43
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539D70 ZwAlpcQueryInformation, 14_2_6F539D70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 14_2_6F581570
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581D6A ZwWaitForMultipleObjects, 14_2_6F581D6A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B6D61 ZwAllocateVirtualMemoryEx, 14_2_6F5B6D61
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581D0B ZwSetInformationProcess, 14_2_6F581D0B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8D34
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 14_2_6F524D3B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539520 ZwWaitForSingleObject, 14_2_6F539520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFD22 ZwQueryInformationProcess,RtlUniform, 14_2_6F5AFD22
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5395D0 ZwClose, 14_2_6F5395D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5AFDD3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F4DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 14_2_6F4F4DC0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5395C0 ZwSetEvent, 14_2_6F5395C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51EDC4 ZwCancelWaitCompletionPacket, 14_2_6F51EDC4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F45D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 14_2_6F4F45D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5ABDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 14_2_6F5ABDFA
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5395F0 ZwQueryInformationFile, 14_2_6F5395F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539DE0 ZwAssociateWaitCompletionPacket, 14_2_6F539DE0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F95F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 14_2_6F4F95F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 14_2_6F50DD80
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B1582 ZwTraceEvent, 14_2_6F5B1582
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BB581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5BB581
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3591 ZwSetInformationFile, 14_2_6F4F3591
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5395B0 ZwSetInformationThread, 14_2_6F5395B0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539DB0 ZwAlpcSetInformation, 14_2_6F539DB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F65A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 14_2_6F4F65A0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539DA0 ZwAlpcSendWaitReceivePort, 14_2_6F539DA0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581C49 ZwQueryInformationProcess, 14_2_6F581C49
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539C40 ZwAllocateVirtualMemoryEx, 14_2_6F539C40
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F5450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 14_2_6F4F5450
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539C70 ZwAlpcConnectPort, 14_2_6F539C70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F535C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 14_2_6F535C70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8C75
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581C76 ZwQueryInformationProcess, 14_2_6F581C76
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 14_2_6F5A3C60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 14_2_6F51746D
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F530413 ZwUnmapViewOfSection, 14_2_6F530413
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8C14
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B1411 ZwTraceEvent, 14_2_6F5B1411
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51FC39 ZwAssociateWaitCompletionPacket, 14_2_6F51FC39
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A420 ZwGetNlsSectionPtr, 14_2_6F53A420
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8CD6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2CDB RtlFreeHeap,ZwClose,ZwSetEvent, 14_2_6F4F2CDB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5B14FB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 14_2_6F5A64FB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FF4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 14_2_6F4FF4E3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581CE4 ZwQueryInformationProcess, 14_2_6F581CE4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F573C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 14_2_6F573C93
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 14_2_6F5B4496
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A480 ZwInitializeNlsFiles, 14_2_6F53A480
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C9CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C9CB3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C4CAB ZwTraceControl, 14_2_6F5C4CAB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8B58
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F523B48 ZwClose,ZwClose, 14_2_6F523B48
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AB70 ZwReleaseWorkerFactoryWorker, 14_2_6F53AB70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F523B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 14_2_6F523B7A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F588372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 14_2_6F588372
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2B7E ZwSetInformationThread,ZwClose, 14_2_6F4F2B7E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AB60 ZwReleaseKeyedEvent, 14_2_6F53AB60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 14_2_6F5A6369
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F586365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy, 14_2_6F586365
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5B131B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F4B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 14_2_6F4F4B00
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539B00 ZwSetValueKey, 14_2_6F539B00
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F525306 ZwReleaseKeyedEvent, 14_2_6F525306
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F9335 ZwClose,ZwClose, 14_2_6F4F9335
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 14_2_6F4F2BC2
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539BF0 ZwAlertThreadByThreadId, 14_2_6F539BF0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString, 14_2_6F50A3E0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F23F6 ZwClose,RtlFreeHeap, 14_2_6F4F23F6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 14_2_6F52939F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5B138A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 14_2_6F4F2B93
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C9BBE
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8BB6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A3A0 ZwGetCompleteWnfStateSubscription, 14_2_6F53A3A0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5B1BA8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 14_2_6F524BAD
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F9240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 14_2_6F4F9240
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 14_2_6F581242
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8A62
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 14_2_6F5C8214
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539A00 ZwProtectVirtualMemory, 14_2_6F539A00
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F5210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 14_2_6F4F5210
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 14_2_6F52B230
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F4A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 14_2_6F4F4A20
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F8239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 14_2_6F4F8239
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 14_2_6F51A229
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 14_2_6F51FAD0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8ADD
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581AD6 ZwFreeVirtualMemory, 14_2_6F581AD6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AAC0 ZwQueryWnfStateNameInformation, 14_2_6F53AAC0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539AE0 ZwTraceEvent, 14_2_6F539AE0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AAE0 ZwRaiseException, 14_2_6F53AAE0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53AA90 ZwQuerySystemInformationEx, 14_2_6F53AA90
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 14_2_6F52D294
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F512280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 14_2_6F512280
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 14_2_6F4F429E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B280 ZwWow64DebuggerCall, 14_2_6F53B280
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539AB0 ZwWaitForMultipleObjects, 14_2_6F539AB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52E2BB ZwWaitForAlertByThreadId, 14_2_6F52E2BB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F52A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 14_2_6F4F52A5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F1AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 14_2_6F4F1AA0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F525AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 14_2_6F525AA0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B150 ZwUnsubscribeWnfStateChange, 14_2_6F53B150
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 14_2_6F4F395E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 14_2_6F51B944
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FF150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey, 14_2_6F4FF150
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581976 ZwCreateEvent, 14_2_6F581976
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B160 ZwUpdateWnfStateData, 14_2_6F53B160
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A160 ZwCreateWorkerFactory, 14_2_6F53A160
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C8966
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FB171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 14_2_6F4FB171
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F9100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 14_2_6F4F9100
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F500100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 14_2_6F500100
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539900 ZwOpenEvent, 14_2_6F539900
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F58193B ZwRaiseException,ZwTerminateProcess, 14_2_6F58193B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A130 ZwCreateWaitCompletionPacket, 14_2_6F53A130
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5CF13B ZwOpenKey,ZwCreateKey, 14_2_6F5CF13B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F514120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 14_2_6F514120
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539920 ZwDuplicateToken, 14_2_6F539920
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5819C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 14_2_6F5819C8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 14_2_6F5C89E7
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539990 ZwQueryVolumeInformationFile, 14_2_6F539990
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 14_2_6F4F519E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 14_2_6F5BA189
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 14_2_6F51C182
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539980 ZwCreateEvent, 14_2_6F539980
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B180 ZwWaitForAlertByThreadId, 14_2_6F53B180
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A6186 ZwQueryValueKey,memmove,RtlInitUnicodeString, 14_2_6F5A6186
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A9B0 ZwQueryLicenseValue, 14_2_6F53A9B0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5751BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy, 14_2_6F5751BE
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B1A0 ZwWaitForKeyedEvent, 14_2_6F53B1A0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 14_2_6F5B49A4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8858 ZwAlertThreadByThreadId, 14_2_6F5C8858
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539840 ZwDelayExecution, 14_2_6F539840
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F5050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 14_2_6F4F5050
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F581879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 14_2_6F581879
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50106F ZwOpenKey,ZwClose, 14_2_6F50106F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5CF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 14_2_6F5CF019
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FF018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 14_2_6F4FF018
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539830 ZwOpenFile, 14_2_6F539830
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 14_2_6F524020
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A0D0 ZwCreateTimer2, 14_2_6F53A0D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5398D0 ZwQueryAttributesFile, 14_2_6F5398D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5310D7 ZwOpenKey,ZwCreateKey, 14_2_6F5310D7
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F70C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 14_2_6F4F70C0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5300C2 ZwAlertThreadByThreadId, 14_2_6F5300C2
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F40FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 14_2_6F4F40FD
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A60E9 ZwOpenKey,ZwClose,ZwClose, 14_2_6F5A60E9
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FB8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 14_2_6F4FB8F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 14_2_6F51E090
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53A890 ZwQueryDebugFilterState, 14_2_6F53A890
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F539890 ZwFsControlFile, 14_2_6F539890
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 14_2_6F4F3880
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection, 14_2_6F52A080
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53108B ZwClose, 14_2_6F53108B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F53B0B0 ZwTraceControl, 14_2_6F53B0B0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5218B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 14_2_6F5218B9
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 14_2_6F52F0BF
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A60A2 ZwQueryInformationFile, 14_2_6F5A60A2
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51F0AE ZwSetInformationWorkerFactory, 14_2_6F51F0AE
Detected potential crypto function
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_004024A8 4_2_004024A8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8335D0 4_2_6D8335D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D800D20 4_2_6D800D20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C67E2 4_2_6D8C67E2
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D826E30 4_2_6D826E30
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81B090 4_2_6D81B090
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1002 4_2_6D8C1002
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A830 4_2_6D82A830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D838840 4_2_6D838840
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8AEB8A 4_2_6D8AEB8A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83EBB0 4_2_6D83EBB0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83ABD8 4_2_6D83ABD8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B23E3 4_2_6D8B23E3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D858BE8 4_2_6D858BE8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82AB40 4_2_6D82AB40
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D32A9 4_2_6D8D32A9
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8CE2C5 4_2_6D8CE2C5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BFA2B 4_2_6D8BFA2B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_004024A8 14_2_004024A8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B67E2 14_2_6F5B67E2
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F516E30 14_2_6F516E30
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C2EF7 14_2_6F5C2EF7
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C1D55 14_2_6F5C1D55
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F0D20 14_2_6F4F0D20
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5235D0 14_2_6F5235D0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B4496 14_2_6F5B4496
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51AB40 14_2_6F51AB40
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51A309 14_2_6F51A309
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52ABD8 14_2_6F52ABD8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A23E3 14_2_6F5A23E3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F548BE8 14_2_6F548BE8
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F59EB8A 14_2_6F59EB8A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52EBB0 14_2_6F52EBB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFA2B 14_2_6F5AFA2B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BE2C5 14_2_6F5BE2C5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B4AEF 14_2_6F5B4AEF
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C32A9 14_2_6F5C32A9
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F514120 14_2_6F514120
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5199BF 14_2_6F5199BF
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F528840 14_2_6F528840
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6800 14_2_6F4F6800
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B1002 14_2_6F5B1002
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51A830 14_2_6F51A830
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50B090 14_2_6F50B090
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: String function: 6D85D08C appears 32 times
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: String function: 6D895720 appears 41 times
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: String function: 6D80B150 appears 122 times
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: String function: 6F585720 appears 41 times
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: String function: 6F4FB150 appears 128 times
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: String function: 6F54D08C appears 38 times
PE file does not import any functions
Source: BCCB.tmp.4.dr Static PE information: No import functions for PE file found
Source: BCCB.tmp.14.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: xax2K3BWhm.exe, 00000004.00000002.716338273.000000006D8FF000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs xax2K3BWhm.exe
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Uses 32bit PE files
Source: xax2K3BWhm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: BCCB.tmp.4.dr Binary string: \Device\IPT
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/4@1/2
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ahafdus Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe File created: C:\Users\user\AppData\Local\Temp\BCCB.tmp Jump to behavior
Source: xax2K3BWhm.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xax2K3BWhm.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Process created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
Source: C:\Users\user\AppData\Roaming\ahafdus Process created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Process created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Process created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: xax2K3BWhm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: xax2K3BWhm.exe, 00000004.00000002.716058267.000000006D7E1000.00000020.00020000.sdmp, ahafdus, 0000000E.00000002.788823862.000000006F4D1000.00000020.00020000.sdmp, BCCB.tmp.4.dr
Source: Binary string: wntdll.pdb source: xax2K3BWhm.exe, ahafdus, BCCB.tmp.4.dr
Source: Binary string: C:\faxeka.pdb source: xax2K3BWhm.exe
Source: Binary string: O7C:\faxeka.pdb`KC@+C source: xax2K3BWhm.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
Source: xax2K3BWhm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xax2K3BWhm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xax2K3BWhm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xax2K3BWhm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xax2K3BWhm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Unpacked PE file: 4.2.xax2K3BWhm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ahafdus Unpacked PE file: 14.2.ahafdus.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Binary contains a suspicious time stamp
Source: BCCB.tmp.4.dr Static PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_0040A020 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0040A020
PE file contains sections with non-standard names
Source: BCCB.tmp.4.dr Static PE information: section name: RT
Source: BCCB.tmp.4.dr Static PE information: section name: .mrdata
Source: BCCB.tmp.4.dr Static PE information: section name: .00cfg
Source: BCCB.tmp.14.dr Static PE information: section name: RT
Source: BCCB.tmp.14.dr Static PE information: section name: .mrdata
Source: BCCB.tmp.14.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h 4_2_00402E23
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_004024A8 push FFFFFF99h; retf F1D6h 4_2_004027A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D85D0D1 push ecx; ret 4_2_6D85D0E4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_1_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h 4_1_00402E23
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h 14_2_00402E23
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_004024A8 push FFFFFF99h; retf F1D6h 14_2_004027A5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F54D0D1 push ecx; ret 14_2_6F54D0E4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_1_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h 14_1_00402E23
Source: initial sample Static PE information: section name: .text entropy: 6.88203005979
Source: initial sample Static PE information: section name: .text entropy: 6.85305507137
Source: initial sample Static PE information: section name: .text entropy: 6.88203005979
Source: initial sample Static PE information: section name: .text entropy: 6.85305507137

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\ahafdus File created: C:\Users\user\AppData\Local\Temp\BCCB.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ahafdus Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ahafdus Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\BCCB.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Roaming\ahafdus Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\BCCB.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\xax2k3bwhm.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\ahafdus:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Renames NTDLL to bypass HIPS
Source: C:\Users\user\Desktop\xax2K3BWhm.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ahafdus, 0000000E.00000002.788446105.00000000004DB000.00000004.00000020.sdmp Binary or memory string: ASWHOOK
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D836B90 rdtsc 4_2_6D836B90
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 676 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 368 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 412 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6500 Thread sleep count: 676 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 768 Thread sleep count: 347 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 768 Thread sleep time: -34700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6508 Thread sleep count: 368 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6508 Thread sleep time: -36800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5684 Thread sleep count: 412 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5696 Thread sleep count: 241 > 30 Jump to behavior
Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.687406902.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.683895687.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.687406902.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000006.00000000.709055237.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000006.00000000.692687947.000000000FD29000.00000004.00000001.sdmp Binary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\xax2K3BWhm.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\xax2K3BWhm.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D836B90 rdtsc 4_2_6D836B90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D849780 ZwMapViewOfSection,LdrInitializeThunk, 4_2_6D849780
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_00406C70 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00406C70
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_0040A020 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0040A020
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_03390042 push dword ptr fs:[00000030h] 0_2_03390042
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803591 mov eax, dword ptr fs:[00000030h] 4_2_6D803591
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8335A1 mov eax, dword ptr fs:[00000030h] 4_2_6D8335A1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h] 4_2_6D831DB5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h] 4_2_6D831DB5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h] 4_2_6D831DB5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8015C1 mov eax, dword ptr fs:[00000030h] 4_2_6D8015C1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8095F0 mov eax, dword ptr fs:[00000030h] 4_2_6D8095F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8095F0 mov ecx, dword ptr fs:[00000030h] 4_2_6D8095F0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B8DF1 mov eax, dword ptr fs:[00000030h] 4_2_6D8B8DF1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F51D mov eax, dword ptr fs:[00000030h] 4_2_6D80F51D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h] 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h] 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h] 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h] 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h] 4_2_6D831520
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80AD30 mov eax, dword ptr fs:[00000030h] 4_2_6D80AD30
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h] 4_2_6D834D3B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h] 4_2_6D834D3B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h] 4_2_6D834D3B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8D34 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8D34
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D843D43 mov eax, dword ptr fs:[00000030h] 4_2_6D843D43
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883540 mov eax, dword ptr fs:[00000030h] 4_2_6D883540
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B3D40 mov eax, dword ptr fs:[00000030h] 4_2_6D8B3D40
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80354C mov eax, dword ptr fs:[00000030h] 4_2_6D80354C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80354C mov eax, dword ptr fs:[00000030h] 4_2_6D80354C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D827D50 mov eax, dword ptr fs:[00000030h] 4_2_6D827D50
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82C577 mov eax, dword ptr fs:[00000030h] 4_2_6D82C577
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82C577 mov eax, dword ptr fs:[00000030h] 4_2_6D82C577
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D801480 mov eax, dword ptr fs:[00000030h] 4_2_6D801480
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h] 4_2_6D8C4496
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80649B mov eax, dword ptr fs:[00000030h] 4_2_6D80649B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80649B mov eax, dword ptr fs:[00000030h] 4_2_6D80649B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804CB0 mov eax, dword ptr fs:[00000030h] 4_2_6D804CB0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802CDB mov eax, dword ptr fs:[00000030h] 4_2_6D802CDB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8CD6 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8CD6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C14FB mov eax, dword ptr fs:[00000030h] 4_2_6D8C14FB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h] 4_2_6D8D740D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h] 4_2_6D8D740D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h] 4_2_6D8D740D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC01
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC01
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC01
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC01
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1C06
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8C14 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8C14
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83BC2C mov eax, dword ptr fs:[00000030h] 4_2_6D83BC2C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804439 mov eax, dword ptr fs:[00000030h] 4_2_6D804439
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89C450 mov eax, dword ptr fs:[00000030h] 4_2_6D89C450
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89C450 mov eax, dword ptr fs:[00000030h] 4_2_6D89C450
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82746D mov eax, dword ptr fs:[00000030h] 4_2_6D82746D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D845C70 mov eax, dword ptr fs:[00000030h] 4_2_6D845C70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC77
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC77
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC77
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h] 4_2_6D81FC77
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h] 4_2_6D83AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8C75 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8C75
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h] 4_2_6D803FC5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h] 4_2_6D803FC5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h] 4_2_6D803FC5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h] 4_2_6D8337EB
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8437F5 mov eax, dword ptr fs:[00000030h] 4_2_6D8437F5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834710 mov eax, dword ptr fs:[00000030h] 4_2_6D834710
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82F716 mov eax, dword ptr fs:[00000030h] 4_2_6D82F716
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89FF10 mov eax, dword ptr fs:[00000030h] 4_2_6D89FF10
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89FF10 mov eax, dword ptr fs:[00000030h] 4_2_6D89FF10
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804F2E mov eax, dword ptr fs:[00000030h] 4_2_6D804F2E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804F2E mov eax, dword ptr fs:[00000030h] 4_2_6D804F2E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83E730 mov eax, dword ptr fs:[00000030h] 4_2_6D83E730
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B73D mov eax, dword ptr fs:[00000030h] 4_2_6D82B73D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B73D mov eax, dword ptr fs:[00000030h] 4_2_6D82B73D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80A745 mov eax, dword ptr fs:[00000030h] 4_2_6D80A745
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DF4C mov eax, dword ptr fs:[00000030h] 4_2_6D83DF4C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82E760 mov eax, dword ptr fs:[00000030h] 4_2_6D82E760
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82E760 mov eax, dword ptr fs:[00000030h] 4_2_6D82E760
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8F6A mov eax, dword ptr fs:[00000030h] 4_2_6D8D8F6A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h] 4_2_6D832F70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803E80 mov eax, dword ptr fs:[00000030h] 4_2_6D803E80
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803E80 mov eax, dword ptr fs:[00000030h] 4_2_6D803E80
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h] 4_2_6D83DE9E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h] 4_2_6D83DE9E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h] 4_2_6D83DE9E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D892EA3 mov eax, dword ptr fs:[00000030h] 4_2_6D892EA3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8846A7 mov eax, dword ptr fs:[00000030h] 4_2_6D8846A7
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8336CC mov eax, dword ptr fs:[00000030h] 4_2_6D8336CC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8ED6 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8ED6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h] 4_2_6D843EE4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h] 4_2_6D843EE4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h] 4_2_6D843EE4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8316E0 mov ecx, dword ptr fs:[00000030h] 4_2_6D8316E0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8176E2 mov eax, dword ptr fs:[00000030h] 4_2_6D8176E2
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h] 4_2_6D80C600
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h] 4_2_6D80C600
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h] 4_2_6D80C600
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D892E14 mov eax, dword ptr fs:[00000030h] 4_2_6D892E14
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D840E21 mov eax, dword ptr fs:[00000030h] 4_2_6D840E21
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BFE3F mov eax, dword ptr fs:[00000030h] 4_2_6D8BFE3F
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80A63B mov eax, dword ptr fs:[00000030h] 4_2_6D80A63B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80A63B mov eax, dword ptr fs:[00000030h] 4_2_6D80A63B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833E70 mov eax, dword ptr fs:[00000030h] 4_2_6D833E70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82C182 mov eax, dword ptr fs:[00000030h] 4_2_6D82C182
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8CA189 mov eax, dword ptr fs:[00000030h] 4_2_6D8CA189
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8CA189 mov ecx, dword ptr fs:[00000030h] 4_2_6D8CA189
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83A185 mov eax, dword ptr fs:[00000030h] 4_2_6D83A185
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834190 mov eax, dword ptr fs:[00000030h] 4_2_6D834190
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80519E mov eax, dword ptr fs:[00000030h] 4_2_6D80519E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80519E mov ecx, dword ptr fs:[00000030h] 4_2_6D80519E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8361A0 mov eax, dword ptr fs:[00000030h] 4_2_6D8361A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8361A0 mov eax, dword ptr fs:[00000030h] 4_2_6D8361A0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h] 4_2_6D8C49A4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h] 4_2_6D8C49A4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h] 4_2_6D8C49A4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h] 4_2_6D8C49A4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h] 4_2_6D8299BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8031E0 mov eax, dword ptr fs:[00000030h] 4_2_6D8031E0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8941E8 mov eax, dword ptr fs:[00000030h] 4_2_6D8941E8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h] 4_2_6D80B1E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h] 4_2_6D80B1E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h] 4_2_6D80B1E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D89E7 mov eax, dword ptr fs:[00000030h] 4_2_6D8D89E7
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h] 4_2_6D809100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h] 4_2_6D809100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h] 4_2_6D809100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h] 4_2_6D810100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h] 4_2_6D810100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h] 4_2_6D810100
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h] 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h] 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h] 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h] 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D824120 mov ecx, dword ptr fs:[00000030h] 4_2_6D824120
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803138 mov ecx, dword ptr fs:[00000030h] 4_2_6D803138
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83513A mov eax, dword ptr fs:[00000030h] 4_2_6D83513A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83513A mov eax, dword ptr fs:[00000030h] 4_2_6D83513A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B944 mov eax, dword ptr fs:[00000030h] 4_2_6D82B944
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B944 mov eax, dword ptr fs:[00000030h] 4_2_6D82B944
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80395E mov eax, dword ptr fs:[00000030h] 4_2_6D80395E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80395E mov eax, dword ptr fs:[00000030h] 4_2_6D80395E
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8966 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8966
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B171 mov eax, dword ptr fs:[00000030h] 4_2_6D80B171
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80B171 mov eax, dword ptr fs:[00000030h] 4_2_6D80B171
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803880 mov eax, dword ptr fs:[00000030h] 4_2_6D803880
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803880 mov eax, dword ptr fs:[00000030h] 4_2_6D803880
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883884 mov eax, dword ptr fs:[00000030h] 4_2_6D883884
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D883884 mov eax, dword ptr fs:[00000030h] 4_2_6D883884
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8490AF mov eax, dword ptr fs:[00000030h] 4_2_6D8490AF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov ecx, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h] 4_2_6D8128AE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h] 4_2_6D80E8B0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83F0BF mov ecx, dword ptr fs:[00000030h] 4_2_6D83F0BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83F0BF mov eax, dword ptr fs:[00000030h] 4_2_6D83F0BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83F0BF mov eax, dword ptr fs:[00000030h] 4_2_6D83F0BF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8070C0 mov eax, dword ptr fs:[00000030h] 4_2_6D8070C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8070C0 mov eax, dword ptr fs:[00000030h] 4_2_6D8070C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h] 4_2_6D89B8D0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h] 4_2_6D8040E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h] 4_2_6D8040E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h] 4_2_6D8040E1
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B8E4 mov eax, dword ptr fs:[00000030h] 4_2_6D82B8E4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82B8E4 mov eax, dword ptr fs:[00000030h] 4_2_6D82B8E4
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8058EC mov eax, dword ptr fs:[00000030h] 4_2_6D8058EC
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h] 4_2_6D8128FD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h] 4_2_6D8128FD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h] 4_2_6D8128FD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D818800 mov eax, dword ptr fs:[00000030h] 4_2_6D818800
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8DF019 mov eax, dword ptr fs:[00000030h] 4_2_6D8DF019
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8DF019 mov eax, dword ptr fs:[00000030h] 4_2_6D8DF019
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D4015 mov eax, dword ptr fs:[00000030h] 4_2_6D8D4015
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D4015 mov eax, dword ptr fs:[00000030h] 4_2_6D8D4015
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F018 mov eax, dword ptr fs:[00000030h] 4_2_6D80F018
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F018 mov eax, dword ptr fs:[00000030h] 4_2_6D80F018
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834020 mov edi, dword ptr fs:[00000030h] 4_2_6D834020
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h] 4_2_6D81B02A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h] 4_2_6D81B02A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h] 4_2_6D81B02A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h] 4_2_6D81B02A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h] 4_2_6D82A830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h] 4_2_6D82A830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h] 4_2_6D82A830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h] 4_2_6D82A830
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h] 4_2_6D805050
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h] 4_2_6D805050
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h] 4_2_6D805050
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D807055 mov eax, dword ptr fs:[00000030h] 4_2_6D807055
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82F86D mov eax, dword ptr fs:[00000030h] 4_2_6D82F86D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C2073 mov eax, dword ptr fs:[00000030h] 4_2_6D8C2073
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8AEB8A mov ecx, dword ptr fs:[00000030h] 4_2_6D8AEB8A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h] 4_2_6D8AEB8A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h] 4_2_6D8AEB8A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h] 4_2_6D8AEB8A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C138A mov eax, dword ptr fs:[00000030h] 4_2_6D8C138A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804B94 mov edi, dword ptr fs:[00000030h] 4_2_6D804B94
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C1BA8 mov eax, dword ptr fs:[00000030h] 4_2_6D8C1BA8
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h] 4_2_6D834BAD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h] 4_2_6D834BAD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h] 4_2_6D834BAD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D9BBE mov eax, dword ptr fs:[00000030h] 4_2_6D8D9BBE
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8BB6 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8BB6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B23E3 mov ecx, dword ptr fs:[00000030h] 4_2_6D8B23E3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B23E3 mov ecx, dword ptr fs:[00000030h] 4_2_6D8B23E3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8B23E3 mov eax, dword ptr fs:[00000030h] 4_2_6D8B23E3
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D801BE9 mov eax, dword ptr fs:[00000030h] 4_2_6D801BE9
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8023F6 mov eax, dword ptr fs:[00000030h] 4_2_6D8023F6
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h] 4_2_6D82A309
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C131B mov eax, dword ptr fs:[00000030h] 4_2_6D8C131B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D894320 mov eax, dword ptr fs:[00000030h] 4_2_6D894320
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80F340 mov eax, dword ptr fs:[00000030h] 4_2_6D80F340
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D80DB40 mov eax, dword ptr fs:[00000030h] 4_2_6D80DB40
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8D8B58 mov eax, dword ptr fs:[00000030h] 4_2_6D8D8B58
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h] 4_2_6D833B5A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h] 4_2_6D833B5A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h] 4_2_6D833B5A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h] 4_2_6D833B5A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B7A mov eax, dword ptr fs:[00000030h] 4_2_6D833B7A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D833B7A mov eax, dword ptr fs:[00000030h] 4_2_6D833B7A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83D294 mov eax, dword ptr fs:[00000030h] 4_2_6D83D294
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83D294 mov eax, dword ptr fs:[00000030h] 4_2_6D83D294
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D801AA0 mov eax, dword ptr fs:[00000030h] 4_2_6D801AA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D835AA0 mov eax, dword ptr fs:[00000030h] 4_2_6D835AA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D835AA0 mov eax, dword ptr fs:[00000030h] 4_2_6D835AA0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h] 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h] 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h] 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h] 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h] 4_2_6D8052A5
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8312BD mov esi, dword ptr fs:[00000030h] 4_2_6D8312BD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8312BD mov eax, dword ptr fs:[00000030h] 4_2_6D8312BD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8312BD mov eax, dword ptr fs:[00000030h] 4_2_6D8312BD
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h] 4_2_6D805AC0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h] 4_2_6D805AC0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h] 4_2_6D805AC0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D803ACA mov eax, dword ptr fs:[00000030h] 4_2_6D803ACA
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h] 4_2_6D8C4AEF
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D818A0A mov eax, dword ptr fs:[00000030h] 4_2_6D818A0A
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h] 4_2_6D805210
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805210 mov ecx, dword ptr fs:[00000030h] 4_2_6D805210
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h] 4_2_6D805210
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h] 4_2_6D805210
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D823A1C mov eax, dword ptr fs:[00000030h] 4_2_6D823A1C
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804A20 mov eax, dword ptr fs:[00000030h] 4_2_6D804A20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D804A20 mov eax, dword ptr fs:[00000030h] 4_2_6D804A20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D88EA20 mov eax, dword ptr fs:[00000030h] 4_2_6D88EA20
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h] 4_2_6D82A229
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h] 4_2_6D808239
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h] 4_2_6D808239
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h] 4_2_6D808239
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802240 mov ecx, dword ptr fs:[00000030h] 4_2_6D802240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D802240 mov eax, dword ptr fs:[00000030h] 4_2_6D802240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h] 4_2_6D809240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h] 4_2_6D809240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h] 4_2_6D809240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h] 4_2_6D809240
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D894248 mov eax, dword ptr fs:[00000030h] 4_2_6D894248
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D894257 mov eax, dword ptr fs:[00000030h] 4_2_6D894257
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BB260 mov eax, dword ptr fs:[00000030h] 4_2_6D8BB260
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8BB260 mov eax, dword ptr fs:[00000030h] 4_2_6D8BB260
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D84927A mov eax, dword ptr fs:[00000030h] 4_2_6D84927A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FA745 mov eax, dword ptr fs:[00000030h] 14_2_6F4FA745
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DF4C mov eax, dword ptr fs:[00000030h] 14_2_6F52DF4C
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h] 14_2_6F522F70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6F60 mov eax, dword ptr fs:[00000030h] 14_2_6F4F6F60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6F60 mov eax, dword ptr fs:[00000030h] 14_2_6F4F6F60
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51E760 mov eax, dword ptr fs:[00000030h] 14_2_6F51E760
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51E760 mov eax, dword ptr fs:[00000030h] 14_2_6F51E760
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8F6A mov eax, dword ptr fs:[00000030h] 14_2_6F5C8F6A
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524710 mov eax, dword ptr fs:[00000030h] 14_2_6F524710
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51F716 mov eax, dword ptr fs:[00000030h] 14_2_6F51F716
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F58FF10 mov eax, dword ptr fs:[00000030h] 14_2_6F58FF10
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F58FF10 mov eax, dword ptr fs:[00000030h] 14_2_6F58FF10
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F4F2E mov eax, dword ptr fs:[00000030h] 14_2_6F4F4F2E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F4F2E mov eax, dword ptr fs:[00000030h] 14_2_6F4F4F2E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52E730 mov eax, dword ptr fs:[00000030h] 14_2_6F52E730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51B73D mov eax, dword ptr fs:[00000030h] 14_2_6F51B73D
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51B73D mov eax, dword ptr fs:[00000030h] 14_2_6F51B73D
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h] 14_2_6F4F6730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h] 14_2_6F4F6730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h] 14_2_6F4F6730
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3FC5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3FC5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3FC5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5337F5 mov eax, dword ptr fs:[00000030h] 14_2_6F5337F5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h] 14_2_6F5237EB
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov ecx, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F2FB0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F586652 mov eax, dword ptr fs:[00000030h] 14_2_6F586652
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F523E70 mov eax, dword ptr fs:[00000030h] 14_2_6F523E70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F582E14 mov eax, dword ptr fs:[00000030h] 14_2_6F582E14
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h] 14_2_6F4FC600
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h] 14_2_6F4FC600
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h] 14_2_6F4FC600
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFE3F mov eax, dword ptr fs:[00000030h] 14_2_6F5AFE3F
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F530E21 mov eax, dword ptr fs:[00000030h] 14_2_6F530E21
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FA63B mov eax, dword ptr fs:[00000030h] 14_2_6F4FA63B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FA63B mov eax, dword ptr fs:[00000030h] 14_2_6F4FA63B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h] 14_2_6F575623
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8ED6 mov eax, dword ptr fs:[00000030h] 14_2_6F5C8ED6
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5236CC mov eax, dword ptr fs:[00000030h] 14_2_6F5236CC
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5216E0 mov ecx, dword ptr fs:[00000030h] 14_2_6F5216E0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h] 14_2_6F533EE4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h] 14_2_6F533EE4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h] 14_2_6F533EE4
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h] 14_2_6F52DE9E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h] 14_2_6F52DE9E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h] 14_2_6F52DE9E
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3E80 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3E80
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3E80 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3E80
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5746A7 mov eax, dword ptr fs:[00000030h] 14_2_6F5746A7
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F582EA3 mov eax, dword ptr fs:[00000030h] 14_2_6F582EA3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F517D50 mov eax, dword ptr fs:[00000030h] 14_2_6F517D50
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F354C mov eax, dword ptr fs:[00000030h] 14_2_6F4F354C
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F354C mov eax, dword ptr fs:[00000030h] 14_2_6F4F354C
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F533D43 mov eax, dword ptr fs:[00000030h] 14_2_6F533D43
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A3D40 mov eax, dword ptr fs:[00000030h] 14_2_6F5A3D40
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51C577 mov eax, dword ptr fs:[00000030h] 14_2_6F51C577
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F51C577 mov eax, dword ptr fs:[00000030h] 14_2_6F51C577
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h] 14_2_6F5B3518
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h] 14_2_6F5B3518
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h] 14_2_6F5B3518
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FF51D mov eax, dword ptr fs:[00000030h] 14_2_6F4FF51D
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8D34 mov eax, dword ptr fs:[00000030h] 14_2_6F5C8D34
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h] 14_2_6F524D3B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h] 14_2_6F524D3B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h] 14_2_6F524D3B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h] 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h] 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h] 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h] 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h] 14_2_6F521520
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4FAD30 mov eax, dword ptr fs:[00000030h] 14_2_6F4FAD30
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5AFDD3 mov eax, dword ptr fs:[00000030h] 14_2_6F5AFDD3
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F15C1 mov eax, dword ptr fs:[00000030h] 14_2_6F4F15C1
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5A8DF1 mov eax, dword ptr fs:[00000030h] 14_2_6F5A8DF1
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5295EC mov eax, dword ptr fs:[00000030h] 14_2_6F5295EC
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F95F0 mov eax, dword ptr fs:[00000030h] 14_2_6F4F95F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F95F0 mov ecx, dword ptr fs:[00000030h] 14_2_6F4F95F0
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h] 14_2_6F5BB581
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h] 14_2_6F5BB581
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h] 14_2_6F5BB581
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h] 14_2_6F5BB581
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F4F3591 mov eax, dword ptr fs:[00000030h] 14_2_6F4F3591
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h] 14_2_6F521DB5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h] 14_2_6F521DB5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h] 14_2_6F521DB5
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5235A1 mov eax, dword ptr fs:[00000030h] 14_2_6F5235A1
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F5C8450 mov eax, dword ptr fs:[00000030h] 14_2_6F5C8450
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F535C70 mov eax, dword ptr fs:[00000030h] 14_2_6F535C70
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h] 14_2_6F50FC77
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h] 14_2_6F50FC77
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h] 14_2_6F50FC77
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h] 14_2_6F50FC77
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\AppData\Roaming\ahafdus Code function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h] 14_2_6F52AC7B
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_00406C70 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00406C70
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_00406110 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00406110

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: ahafdus.6.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: hewilldoit.xyz
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_03390110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_03390110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Thread created: C:\Windows\explorer.exe EIP: 31A18B8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Thread created: unknown EIP: 4F418B8 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Memory written: C:\Users\user\Desktop\xax2K3BWhm.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Process created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\ahafdus Process created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus Jump to behavior
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D83E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 4_2_6D83E730
Source: explorer.exe, 00000006.00000000.698013064.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.683863365.0000000005E50000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 0_2_004019C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004019C0
Source: C:\Users\user\Desktop\xax2K3BWhm.exe Code function: 4_2_6D8065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 4_2_6D8065A0
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435322 Sample: xax2K3BWhm.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected SmokeLoader 2->45 47 3 other signatures 2->47 6 ahafdus 2->6         started        9 xax2K3BWhm.exe 2->9         started        11 explorer.exe 2 2->11         started        process3 dnsIp4 49 Multi AV Scanner detection for dropped file 6->49 51 DLL reload attack detected 6->51 53 Detected unpacking (changes PE section rights) 6->53 55 Machine Learning detection for dropped file 6->55 15 ahafdus 1 6->15         started        57 Contains functionality to inject code into remote processes 9->57 59 Injects a PE file into a foreign processes 9->59 19 xax2K3BWhm.exe 1 9->19         started        27 hewilldoit.xyz 185.45.192.246, 443, 49757 HSAE United Arab Emirates 11->27 29 192.168.2.1 unknown unknown 11->29 21 C:\Users\user\AppData\Roaming\ahafdus, PE32 11->21 dropped 23 C:\Users\user\...\ahafdus:Zone.Identifier, ASCII 11->23 dropped 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Benign windows process drops PE files 11->63 65 Performs DNS queries to domains with low reputation 11->65 67 2 other signatures 11->67 file5 signatures6 process7 file8 25 C:\Users\user\AppData\Local\Temp\BCCB.tmp, PE32 15->25 dropped 31 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->31 33 Renames NTDLL to bypass HIPS 15->33 35 Maps a DLL or memory area into another process 15->35 37 Checks if the current machine is a virtual machine (disk enumeration) 19->37 39 Creates a thread in another existing process (thread injection) 19->39 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.45.192.246
 hewilldoit.xyz United Arab Emirates
60117 HSAE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
hewilldoit.xyz 185.45.192.246 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://hewilldoit.xyz/zizi/ true
  • Avira URL Cloud: safe
 unknown
https://hehasdoneit.xyz/zizi/ true
  • Avira URL Cloud: safe
 unknown