Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report xax2K3BWhm.exe

Overview

General Information

Sample Name:xax2K3BWhm.exe
Analysis ID:435322
MD5:e3686e4e0ed04a1fd38bb5060cb2441e
SHA1:7a6e59e6c01135ab4ec685dc8c6bf7835429c916
SHA256:1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
Tags:exe
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
DLL reload attack detected
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xax2K3BWhm.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\xax2K3BWhm.exe' MD5: E3686E4E0ED04A1FD38BB5060CB2441E)
    • xax2K3BWhm.exe (PID: 6136 cmdline: 'C:\Users\user\Desktop\xax2K3BWhm.exe' MD5: E3686E4E0ED04A1FD38BB5060CB2441E)
  • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • ahafdus (PID: 6224 cmdline: C:\Users\user\AppData\Roaming\ahafdus MD5: E3686E4E0ED04A1FD38BB5060CB2441E)
    • ahafdus (PID: 4832 cmdline: C:\Users\user\AppData\Roaming\ahafdus MD5: E3686E4E0ED04A1FD38BB5060CB2441E)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["https://hewilldoit.xyz/zizi/", "https://hehasdoneit.xyz/zizi/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.1.xax2K3BWhm.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            14.1.ahafdus.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              4.2.xax2K3BWhm.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                14.2.ahafdus.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["https://hewilldoit.xyz/zizi/", "https://hehasdoneit.xyz/zizi/"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ahafdusReversingLabs: Detection: 44%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: xax2K3BWhm.exeReversingLabs: Detection: 44%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ahafdusJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: xax2K3BWhm.exeJoe Sandbox ML: detected
                  Source: xax2K3BWhm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: xax2K3BWhm.exe, 00000004.00000002.716058267.000000006D7E1000.00000020.00020000.sdmp, ahafdus, 0000000E.00000002.788823862.000000006F4D1000.00000020.00020000.sdmp, BCCB.tmp.4.dr
                  Source: Binary string: wntdll.pdb source: xax2K3BWhm.exe, ahafdus, BCCB.tmp.4.dr
                  Source: Binary string: C:\faxeka.pdb source: xax2K3BWhm.exe
                  Source: Binary string: O7C:\faxeka.pdb`KC@+C source: xax2K3BWhm.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: https://hewilldoit.xyz/zizi/
                  Source: Malware configuration extractorURLs: https://hehasdoneit.xyz/zizi/
                  Performs DNS queries to domains with low reputationShow sources
                  Source: C:\Windows\explorer.exeDNS query: hewilldoit.xyz
                  Source: Joe Sandbox ViewASN Name: HSAE HSAE
                  Source: unknownDNS traffic detected: queries for: hewilldoit.xyz
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: explorer.exe, 00000006.00000000.670999978.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected SmokeLoaderShow sources
                  Source: Yara matchFile source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_03390110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_004017F6 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_00401801 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_0040180F Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_00401813 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_00401820 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_004017CF Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849780 ZwMapViewOfSection,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849600 ZwOpenKey,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849660 ZwAllocateVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84967A NtQueryInformationProcess,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8499A0 ZwCreateSection,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8498C0 ZwDuplicateObject,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849820 ZwEnumerateKey,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849860 ZwQuerySystemInformation,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1582 ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803591 ZwSetInformationFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849DA0 ZwAlpcSendWaitReceivePort,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8495B0 ZwSetInformationThread,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849DB0 ZwAlpcSetInformation,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8495C0 ZwSetEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82EDC4 ZwCancelWaitCompletionPacket,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8045D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8495D0 ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849DE0 ZwAssociateWaitCompletionPacket,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8095F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8495F0 ZwQueryInformationFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891D0B ZwSetInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AD10 ZwSetCachedSigningLevel,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849520 ZwWaitForSingleObject,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BFD22 ZwQueryInformationProcess,RtlUniform,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883540 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891D43 ZwQueryInformationThread,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D830548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891D6A ZwWaitForMultipleObjects,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C6D61 ZwAllocateVirtualMemoryEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849D70 ZwAlpcQueryInformation,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A480 ZwInitializeNlsFiles,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D840CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D4CAB ZwTraceControl,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802CDB RtlFreeHeap,ZwClose,ZwSetEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891CE4 ZwQueryInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D840413 ZwUnmapViewOfSection,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1411 ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A420 ZwGetNlsSectionPtr,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82FC39 ZwAssociateWaitCompletionPacket,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891C49 ZwQueryInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849C40 ZwAllocateVirtualMemoryEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89C450 RtlReleasePrivilege,ZwAdjustPrivilegesToken,ZwSetInformationThread,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849C70 ZwAlpcConnectPort,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D845C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891C76 ZwQueryInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B5F87 ZwUnmapViewOfSection,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D843FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D88A7AC ZwCompareSigningLevels,ZwCompareSigningLevels,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8497A0 ZwUnmapViewOfSection,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80A7B0 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8497C0 ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AFD0 ZwShutdownWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89E7D3 ZwOpenThreadTokenEx,ZwOpenThreadTokenEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D890FEC ZwDuplicateObject,ZwDuplicateObject,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8497F0 ZwOpenThreadTokenEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D810FFD RtlInitUnicodeString,ZwQueryValueKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849710 ZwQueryInformationToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849730 ZwQueryVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BCF30 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849740 ZwOpenThreadToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D840F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D88A746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849750 ZwQueryInformationThread,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AF60 ZwSetTimer2,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849F70 ZwCreateIoCompletion,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849770 ZwSetInformationFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A690 ZwOpenKeyEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802E9F ZwCreateEvent,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849EA0 ZwCompareSigningLevels,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D892EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8496C0 ZwSetInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D839ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8496D0 ZwCreateKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8066D4 RtlInitUnicodeString,ZwQueryValueKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D88A6DE ZwRaiseHardError,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8496E0 ZwFreeVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8916FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D85DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82E6F9 ZwAlpcSetInformation,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D842E1C RtlInitializeCriticalSectionEx,ZwDelayExecution,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D892E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849E20 ZwCancelTimer2,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B630 ZwWaitForKeyedEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849E30 ZwCancelWaitCompletionPacket,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B640 RtlUnhandledExceptionFilter,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B650 RtlUnhandledExceptionFilter,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849650 ZwQueryValueKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AE70 ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849670 ZwQueryInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B180 ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849980 ZwCreateEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8CA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849990 ZwQueryVolumeInformationFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B1A0 ZwWaitForKeyedEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A9B0 ZwQueryLicenseValue,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8319B8 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwWaitForSingleObject,RtlQueryInformationActiveActivationContext,RtlQueryInformationActivationContext,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8919C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D810100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849900 ZwOpenEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849910 ZwAdjustPrivilegesToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849920 ZwDuplicateToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89193B ZwRaiseException,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A130 ZwCreateWaitCompletionPacket,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8DF13B ZwOpenKey,ZwCreateKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B150 ZwUnsubscribeWnfStateChange,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B160 ZwUpdateWnfStateData,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A160 ZwCreateWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8966 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883971 ZwOpenKeyEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891976 ZwCreateEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883884 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84108B ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A890 ZwQueryDebugFilterState,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849890 ZwFsControlFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B60A2 ZwQueryInformationFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82F0AE ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B0B0 ZwTraceControl,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8318B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8070C0 ZwClose,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8400C2 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8410D7 ZwOpenKey,ZwCreateKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A0D0 ZwCreateTimer2,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8498D0 ZwQueryAttributesFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8180FC RtlEqualUnicodeString,ZwMapViewOfSection,ZwUnmapViewOfSection,LdrQueryImageFileKeyOption,RtlAcquirePrivilege,RtlReleasePrivilege,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8040FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849800 ZwOpenProcessTokenEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8DF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849830 ZwOpenFile,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849840 ZwDelayExecution,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8858 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81106F ZwOpenKey,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891879 ZwAllocateVirtualMemory,memset,RtlInitializeSid,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A390 ZwGetCachedSigningLevel,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83939F RtlInitializeCriticalSectionEx,ZwDelayExecution,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84A3A0 ZwGetCompleteWnfStateSubscription,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849BF0 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8023F6 ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849B00 ZwSetValueKey,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D835306 ZwReleaseKeyedEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C131B RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809335 ZwClose,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B48 ZwClose,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AB60 ZwReleaseKeyedEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D816B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D887365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D898372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802B7E ZwSetInformationThread,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D822280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84B280 ZwWow64DebuggerCall,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AA90 ZwQuerySystemInformationEx,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D801AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D835AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849AB0 ZwWaitForMultipleObjects,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83E2BB ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AAC0 ZwQueryWnfStateNameInformation,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891AD6 ZwFreeVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849AE0 ZwTraceEvent,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AAE0 ZwRaiseException,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AAF0 ZwRaiseHardError,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849A00 ZwProtectVirtualMemory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84AA20 ZwQuerySecurityAttributesToken,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D808239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D891242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_004017F6 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_00401801 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_0040180F Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_00401813 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_00401820 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_004017CF Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539780 ZwMapViewOfSection,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53967A NtQueryInformationProcess,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539660 ZwAllocateVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539600 ZwOpenKey,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5399A0 ZwCreateSection,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539860 ZwQuerySystemInformation,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539820 ZwEnumerateKey,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5398C0 ZwDuplicateObject,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539750 ZwQueryInformationThread,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539740 ZwOpenThreadToken,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F530F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539F70 ZwCreateIoCompletion,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539770 ZwSetInformationFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5ACF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AF60 ZwSetTimer2,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F58176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539710 ZwQueryInformationToken,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F586715 memset,memcpy,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F529702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539730 ZwQueryVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5ACF30 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AFD0 ZwShutdownWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FF7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5397C0 ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F500FFD RtlInitUnicodeString,ZwQueryValueKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F580FEC ZwDuplicateObject,ZwDuplicateObject,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A5F87 ZwUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5397A0 ZwUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F533FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B650 RtlUnhandledExceptionFilter,ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539650 ZwQueryValueKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F586652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B640 RtlUnhandledExceptionFilter,ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AE70 ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539670 ZwQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F582E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FC600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539E30 ZwCancelWaitCompletionPacket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539E20 ZwCancelTimer2,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FB630 ZwWaitForKeyedEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F529ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5396D0 ZwCreateKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5396C0 ZwSetInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F66D4 RtlInitUnicodeString,ZwQueryValueKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5816FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F54DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51E6F9 ZwAlpcSetInformation,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5396E0 ZwFreeVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FB6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5ABE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2E9F ZwCreateEvent,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F582EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C1D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581D43 ZwQueryInformationThread,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539D70 ZwAlpcQueryInformation,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581D6A ZwWaitForMultipleObjects,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B6D61 ZwAllocateVirtualMemoryEx,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581D0B ZwSetInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539520 ZwWaitForSingleObject,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFD22 ZwQueryInformationProcess,RtlUniform,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5395D0 ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F4DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5395C0 ZwSetEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51EDC4 ZwCancelWaitCompletionPacket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F45D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5ABDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5395F0 ZwQueryInformationFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539DE0 ZwAssociateWaitCompletionPacket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F95F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B1582 ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BB581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3591 ZwSetInformationFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5395B0 ZwSetInformationThread,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539DB0 ZwAlpcSetInformation,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F65A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539DA0 ZwAlpcSendWaitReceivePort,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581C49 ZwQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539C40 ZwAllocateVirtualMemoryEx,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F5450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539C70 ZwAlpcConnectPort,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F535C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581C76 ZwQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F530413 ZwUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B1411 ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51FC39 ZwAssociateWaitCompletionPacket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A420 ZwGetNlsSectionPtr,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2CDB RtlFreeHeap,ZwClose,ZwSetEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FF4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581CE4 ZwQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F573C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A480 ZwInitializeNlsFiles,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C9CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C4CAB ZwTraceControl,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F523B48 ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AB70 ZwReleaseWorkerFactoryWorker,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F523B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F588372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2B7E ZwSetInformationThread,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AB60 ZwReleaseKeyedEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F586365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B131B RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F4B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539B00 ZwSetValueKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F525306 ZwReleaseKeyedEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F9335 ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539BF0 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F23F6 ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52939F RtlInitializeCriticalSectionEx,ZwDelayExecution,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A3A0 ZwGetCompleteWnfStateSubscription,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F9240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8A62 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539A00 ZwProtectVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F5210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F4A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F8239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8ADD RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581AD6 ZwFreeVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AAC0 ZwQueryWnfStateNameInformation,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539AE0 ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AAE0 ZwRaiseException,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53AA90 ZwQuerySystemInformationEx,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F512280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B280 ZwWow64DebuggerCall,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539AB0 ZwWaitForMultipleObjects,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52E2BB ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F52A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F1AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F525AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B150 ZwUnsubscribeWnfStateChange,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FF150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581976 ZwCreateEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B160 ZwUpdateWnfStateData,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A160 ZwCreateWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8966 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FB171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F9100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F500100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539900 ZwOpenEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F58193B ZwRaiseException,ZwTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A130 ZwCreateWaitCompletionPacket,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5CF13B ZwOpenKey,ZwCreateKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F514120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539920 ZwDuplicateToken,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5819C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539990 ZwQueryVolumeInformationFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539980 ZwCreateEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B180 ZwWaitForAlertByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A6186 ZwQueryValueKey,memmove,RtlInitUnicodeString,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A9B0 ZwQueryLicenseValue,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5751BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B1A0 ZwWaitForKeyedEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8858 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539840 ZwDelayExecution,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F5050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F581879 ZwAllocateVirtualMemory,memset,RtlInitializeSid,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50106F ZwOpenKey,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5CF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FF018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539830 ZwOpenFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A0D0 ZwCreateTimer2,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5398D0 ZwQueryAttributesFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5310D7 ZwOpenKey,ZwCreateKey,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F70C0 ZwClose,RtlFreeHeap,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5300C2 ZwAlertThreadByThreadId,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F40FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A60E9 ZwOpenKey,ZwClose,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FB8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53A890 ZwQueryDebugFilterState,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F539890 ZwFsControlFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53108B ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F53B0B0 ZwTraceControl,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5218B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A60A2 ZwQueryInformationFile,
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51F0AE ZwSetInformationWorkerFactory,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_004024A8
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8335D0
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D800D20
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C67E2
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D826E30
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81B090
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1002
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A830
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D838840
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8AEB8A
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83EBB0
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83ABD8
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B23E3
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D858BE8
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82AB40
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D32A9
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8CE2C5
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BFA2B
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_004024A8
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B67E2
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F516E30
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C2EF7
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C1D55
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F0D20
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5235D0
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B4496
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51AB40
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51A309
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52ABD8
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A23E3
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F548BE8
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F59EB8A
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52EBB0
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFA2B
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BE2C5
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B4AEF
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C32A9
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F514120
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5199BF
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F528840
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6800
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B1002
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51A830
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50B090
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: String function: 6D85D08C appears 32 times
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: String function: 6D895720 appears 41 times
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: String function: 6D80B150 appears 122 times
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: String function: 6F585720 appears 41 times
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: String function: 6F4FB150 appears 128 times
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: String function: 6F54D08C appears 38 times
                  Source: BCCB.tmp.4.drStatic PE information: No import functions for PE file found
                  Source: BCCB.tmp.14.drStatic PE information: No import functions for PE file found
                  Source: xax2K3BWhm.exe, 00000004.00000002.716338273.000000006D8FF000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xax2K3BWhm.exe
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\explorer.exeSection loaded: webio.dll
                  Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                  Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                  Source: xax2K3BWhm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: BCCB.tmp.4.drBinary string: \Device\IPT
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@1/2
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ahafdusJump to behavior
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeFile created: C:\Users\user\AppData\Local\Temp\BCCB.tmpJump to behavior
                  Source: xax2K3BWhm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: xax2K3BWhm.exeReversingLabs: Detection: 44%
                  Source: unknownProcess created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeProcess created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
                  Source: C:\Users\user\AppData\Roaming\ahafdusProcess created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeProcess created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
                  Source: C:\Users\user\AppData\Roaming\ahafdusProcess created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: xax2K3BWhm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: xax2K3BWhm.exe, 00000004.00000002.716058267.000000006D7E1000.00000020.00020000.sdmp, ahafdus, 0000000E.00000002.788823862.000000006F4D1000.00000020.00020000.sdmp, BCCB.tmp.4.dr
                  Source: Binary string: wntdll.pdb source: xax2K3BWhm.exe, ahafdus, BCCB.tmp.4.dr
                  Source: Binary string: C:\faxeka.pdb source: xax2K3BWhm.exe
                  Source: Binary string: O7C:\faxeka.pdb`KC@+C source: xax2K3BWhm.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.683350760.0000000005A00000.00000002.00000001.sdmp
                  Source: xax2K3BWhm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: xax2K3BWhm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: xax2K3BWhm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: xax2K3BWhm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: xax2K3BWhm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation:

                  barindex
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeUnpacked PE file: 4.2.xax2K3BWhm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Roaming\ahafdusUnpacked PE file: 14.2.ahafdus.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
                  Source: BCCB.tmp.4.drStatic PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_0040A020 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                  Source: BCCB.tmp.4.drStatic PE information: section name: RT
                  Source: BCCB.tmp.4.drStatic PE information: section name: .mrdata
                  Source: BCCB.tmp.4.drStatic PE information: section name: .00cfg
                  Source: BCCB.tmp.14.drStatic PE information: section name: RT
                  Source: BCCB.tmp.14.drStatic PE information: section name: .mrdata
                  Source: BCCB.tmp.14.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_004024A8 push FFFFFF99h; retf F1D6h
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D85D0D1 push ecx; ret
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_1_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_004024A8 push FFFFFF99h; retf F1D6h
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F54D0D1 push ecx; ret
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_1_00402E04 push 04EC83E1h; mov dword ptr [esp], 00000030h
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.88203005979
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.85305507137
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.88203005979
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.85305507137
                  Source: C:\Users\user\AppData\Roaming\ahafdusFile created: C:\Users\user\AppData\Local\Temp\BCCB.tmpJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ahafdusJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ahafdusJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  DLL reload attack detectedShow sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeModule Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\BCCB.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
                  Source: C:\Users\user\AppData\Roaming\ahafdusModule Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\BCCB.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
                  Deletes itself after installationShow sources
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\xax2k3bwhm.exeJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ahafdus:Zone.Identifier read attributes | delete

                  Malware Analysis System Evasion:

                  barindex
                  Checks if the current machine is a virtual machine (disk enumeration)Show sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\ahafdusKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Renames NTDLL to bypass HIPSShow sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeFile opened: C:\Windows\SysWOW64\ntdll.dll
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeFile opened: C:\Windows\SysWOW64\ntdll.dll
                  Source: C:\Users\user\AppData\Roaming\ahafdusFile opened: C:\Windows\SysWOW64\ntdll.dll
                  Source: C:\Users\user\AppData\Roaming\ahafdusFile opened: C:\Windows\SysWOW64\ntdll.dll
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: ahafdus, 0000000E.00000002.788446105.00000000004DB000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D836B90 rdtsc
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 676
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 368
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 412
                  Source: C:\Windows\explorer.exe TID: 6500Thread sleep count: 676 > 30
                  Source: C:\Windows\explorer.exe TID: 768Thread sleep count: 347 > 30
                  Source: C:\Windows\explorer.exe TID: 768Thread sleep time: -34700s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 6508Thread sleep count: 368 > 30
                  Source: C:\Windows\explorer.exe TID: 6508Thread sleep time: -36800s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 5684Thread sleep count: 412 > 30
                  Source: C:\Windows\explorer.exe TID: 5696Thread sleep count: 241 > 30
                  Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: explorer.exe, 00000006.00000000.687406902.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000006.00000000.683895687.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000006.00000000.687406902.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
                  Source: explorer.exe, 00000006.00000000.709055237.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                  Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                  Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                  Source: explorer.exe, 00000006.00000000.692687947.000000000FD29000.00000004.00000001.sdmpBinary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000006.00000000.683071003.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeSystem information queried: ModuleInformation
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeProcess information queried: ProcessInformation

                  Anti Debugging:

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\AppData\Roaming\ahafdusSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Roaming\ahafdusProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D836B90 rdtsc
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D849780 ZwMapViewOfSection,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_00406C70 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_0040A020 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_03390042 push dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803591 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8335A1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8015C1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8095F0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8095F0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B8DF1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F51D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D831520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80AD30 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D843D43 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883540 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B3D40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80354C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80354C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D827D50 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D801480 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4496 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80649B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80649B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804CB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802CDB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8CD6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C14FB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC01 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8C14 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83BC2C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804439 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89C450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89C450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82746D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D845C70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8C75 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8337EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8437F5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834710 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82F716 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83E730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B73D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B73D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80A745 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DF4C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82E760 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82E760 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8F6A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D832F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803E80 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803E80 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D892EA3 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8846A7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8336CC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8ED6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D843EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8316E0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8176E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D892E14 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D840E21 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BFE3F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80A63B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80A63B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833E70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82C182 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8CA189 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8CA189 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83A185 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834190 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80519E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80519E mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8361A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8361A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C49A4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8299BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8031E0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8941E8 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D89E7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D810100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D824120 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803138 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80395E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80395E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8966 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80B171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803880 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803880 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D883884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8490AF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128AE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80E8B0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83F0BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8070C0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8070C0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D89B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8040E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B8E4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82B8E4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8058EC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8128FD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D818800 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8DF019 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8DF019 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D4015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D4015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F018 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F018 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834020 mov edi, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D81B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A830 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D807055 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82F86D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C2073 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8AEB8A mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8AEB8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C138A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804B94 mov edi, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C1BA8 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D834BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D9BBE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8BB6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B23E3 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B23E3 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8B23E3 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D801BE9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8023F6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A309 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C131B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D894320 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80F340 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D80DB40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8D8B58 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B5A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D833B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D801AA0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D835AA0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D835AA0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8052A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8312BD mov esi, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8312BD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8312BD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805AC0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D803ACA mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8C4AEF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D818A0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805210 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D805210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D823A1C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804A20 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D804A20 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D88EA20 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D82A229 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D808239 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802240 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D802240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D809240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D894248 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D894257 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BB260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8BB260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D84927A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FA745 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DF4C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F522F70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6F60 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6F60 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51E760 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51E760 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8F6A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524710 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51F716 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F58FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F58FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F4F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F4F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52E730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51B73D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51B73D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F6730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3FC5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5337F5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5237EB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F2FB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F586652 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F523E70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F582E14 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFE3F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F530E21 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FA63B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FA63B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F575623 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8ED6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5236CC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5216E0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F533EE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52DE9E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3E80 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3E80 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5746A7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F582EA3 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F517D50 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F354C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F354C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F533D43 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A3D40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F51C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5B3518 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FF51D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F524D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521520 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4FAD30 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5AFDD3 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F15C1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5A8DF1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5295EC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F95F0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F95F0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5BB581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F4F3591 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F521DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5235A1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F5C8450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F535C70 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F50FC77 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\ahafdusCode function: 14_2_6F52AC7B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_00406C70 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_00406110 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Benign windows process drops PE filesShow sources
                  Source: C:\Windows\explorer.exeFile created: ahafdus.6.drJump to dropped file
                  System process connects to network (likely due to code injection or exploit)Show sources
                  Source: C:\Windows\explorer.exeDomain query: hewilldoit.xyz
                  Contains functionality to inject code into remote processesShow sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_03390110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                  Creates a thread in another existing process (thread injection)Show sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeThread created: C:\Windows\explorer.exe EIP: 31A18B8
                  Source: C:\Users\user\AppData\Roaming\ahafdusThread created: unknown EIP: 4F418B8
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeMemory written: C:\Users\user\Desktop\xax2K3BWhm.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\AppData\Roaming\ahafdusSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\AppData\Roaming\ahafdusSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeProcess created: C:\Users\user\Desktop\xax2K3BWhm.exe 'C:\Users\user\Desktop\xax2K3BWhm.exe'
                  Source: C:\Users\user\AppData\Roaming\ahafdusProcess created: C:\Users\user\AppData\Roaming\ahafdus C:\Users\user\AppData\Roaming\ahafdus
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D83E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,
                  Source: explorer.exe, 00000006.00000000.698013064.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                  Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 00000006.00000000.683863365.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000006.00000000.670486150.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 00000006.00000000.687556430.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 0_2_004019C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\xax2K3BWhm.exeCode function: 4_2_6D8065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected SmokeLoaderShow sources
                  Source: Yara matchFile source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected SmokeLoaderShow sources
                  Source: Yara matchFile source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.1.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.ahafdus.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.xax2K3BWhm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.ahafdus.400000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsNative API1DLL Side-Loading11Process Injection512Masquerading11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsDLL Side-Loading11Virtualization/Sandbox Evasion12LSASS MemorySecurity Software Discovery431Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery5VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading11/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 435322 Sample: xax2K3BWhm.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected SmokeLoader 2->45 47 3 other signatures 2->47 6 ahafdus 2->6         started        9 xax2K3BWhm.exe 2->9         started        11 explorer.exe 2 2->11         started        process3 dnsIp4 49 Multi AV Scanner detection for dropped file 6->49 51 DLL reload attack detected 6->51 53 Detected unpacking (changes PE section rights) 6->53 55 Machine Learning detection for dropped file 6->55 15 ahafdus 1 6->15         started        57 Contains functionality to inject code into remote processes 9->57 59 Injects a PE file into a foreign processes 9->59 19 xax2K3BWhm.exe 1 9->19         started        27 hewilldoit.xyz 185.45.192.246, 443, 49757 HSAE United Arab Emirates 11->27 29 192.168.2.1 unknown unknown 11->29 21 C:\Users\user\AppData\Roaming\ahafdus, PE32 11->21 dropped 23 C:\Users\user\...\ahafdus:Zone.Identifier, ASCII 11->23 dropped 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Benign windows process drops PE files 11->63 65 Performs DNS queries to domains with low reputation 11->65 67 2 other signatures 11->67 file5 signatures6 process7 file8 25 C:\Users\user\AppData\Local\Temp\BCCB.tmp, PE32 15->25 dropped 31 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->31 33 Renames NTDLL to bypass HIPS 15->33 35 Maps a DLL or memory area into another process 15->35 37 Checks if the current machine is a virtual machine (disk enumeration) 19->37 39 Creates a thread in another existing process (thread injection) 19->39 signatures9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  xax2K3BWhm.exe45%ReversingLabsWin32.Trojan.Pwsx
                  xax2K3BWhm.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\ahafdus100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\BCCB.tmp0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\BCCB.tmp2%ReversingLabs
                  C:\Users\user\AppData\Roaming\ahafdus45%ReversingLabsWin32.Trojan.Pwsx

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.1.xax2K3BWhm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  14.1.ahafdus.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.2.xax2K3BWhm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  14.2.ahafdus.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://hewilldoit.xyz/zizi/0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  https://hehasdoneit.xyz/zizi/0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  hewilldoit.xyz
                  		185.45.192.246
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://hewilldoit.xyz/zizi/true
                    • Avira URL Cloud: safe
                    		unknown
                    https://hehasdoneit.xyz/zizi/true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.670999978.0000000002B50000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://www.fonts.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000006.00000000.689116925.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        185.45.192.246
                                        		hewilldoit.xyzUnited Arab Emirates
                                        		60117HSAEtrue

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:435322
                                        Start date:16.06.2021
                                        Start time:12:16:42
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:xax2K3BWhm.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:18
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@6/4@1/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 15.2% (good quality ratio 13.2%)
                                        • Quality average: 51.7%
                                        • Quality standard deviation: 29.2%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.49.157.6, 52.113.196.254, 13.64.90.137, 13.107.3.254, 13.107.253.254, 52.147.198.201, 23.211.6.115, 205.185.216.10, 205.185.216.42, 20.54.7.98, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                        • Excluded domains from analysis (whitelisted): s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, dual-a-0001.dc-msedge.net, t-9999.fb-t-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, s-9999.s-msedge.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/435322/sample/xax2K3BWhm.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        12:18:19Task SchedulerRun new task: Firefox Default Browser Agent 52341AE72BE32359 path: C:\Users\user\AppData\Roaming\ahafdus

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        hewilldoit.xyzDEBIT NOTE.xlsxGet hashmaliciousBrowse
                                        • 194.169.160.179

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        HSAECancellation_480942562_06082021.xlsmGet hashmaliciousBrowse
                                        • 185.45.192.236
                                        Cancellation_480942562_06082021.xlsmGet hashmaliciousBrowse
                                        • 185.45.192.236
                                        QB4b8Pxj7J.exeGet hashmaliciousBrowse
                                        • 185.198.57.121
                                        T0DwfJpncn.exeGet hashmaliciousBrowse
                                        • 185.198.57.121
                                        69d80bd2a76850dc24f4a91c82ef60f998afc28644394.exeGet hashmaliciousBrowse
                                        • 185.198.57.121
                                        Document_06022021_228219382_Copy.xlsmGet hashmaliciousBrowse
                                        • 185.183.98.25
                                        Document_06022021_228219382_Copy.xlsmGet hashmaliciousBrowse
                                        • 185.183.98.25
                                        Document_06022021_1157730537_Copy.xlsmGet hashmaliciousBrowse
                                        • 185.183.98.25
                                        Document_06022021_1157730537_Copy.xlsmGet hashmaliciousBrowse
                                        • 185.183.98.25
                                        Overdue_Debt_1535591908_06012021.xlsmGet hashmaliciousBrowse
                                        • 185.141.27.144
                                        Overdue_Debt_1535591908_06012021.xlsmGet hashmaliciousBrowse
                                        • 185.141.27.144
                                        21305177357_05272021.xlsmGet hashmaliciousBrowse
                                        • 185.117.73.134
                                        21305177357_05272021.xlsmGet hashmaliciousBrowse
                                        • 185.117.73.134
                                        21881755902_05272021.xlsmGet hashmaliciousBrowse
                                        • 185.117.73.134
                                        21881755902_05272021.xlsmGet hashmaliciousBrowse
                                        • 185.117.73.134
                                        Decline_1491125237_05262021.xlsmGet hashmaliciousBrowse
                                        • 185.183.96.223
                                        Decline_1491125237_05262021.xlsmGet hashmaliciousBrowse
                                        • 185.183.96.223
                                        cc859408_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                        • 185.198.57.83
                                        cc859408_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                        • 185.198.57.83
                                        ZLiyQKv0K4.exeGet hashmaliciousBrowse
                                        • 185.183.98.2

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\AppData\Local\Temp\BCCB.tmpEd2zaPhzUD.exeGet hashmaliciousBrowse
                                          ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exeGet hashmaliciousBrowse
                                            OcLtW2CNjy.exeGet hashmaliciousBrowse
                                              pub2.exeGet hashmaliciousBrowse
                                                42sB3Upj67.exeGet hashmaliciousBrowse
                                                  RE6WxoVS7v.exeGet hashmaliciousBrowse
                                                    VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                      051y0i7M8q.exeGet hashmaliciousBrowse
                                                        RdtoOe8Lzj.exeGet hashmaliciousBrowse
                                                          MwcrHqpRj7.exeGet hashmaliciousBrowse
                                                            jo3GzZMQBG.exeGet hashmaliciousBrowse
                                                              main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                w4X8dxtGi6.exeGet hashmaliciousBrowse
                                                                  BrBsL8sBvm.exeGet hashmaliciousBrowse
                                                                    bL6FwQU4K5.exeGet hashmaliciousBrowse
                                                                      3JDjILxXaA.exeGet hashmaliciousBrowse
                                                                        o8RYFTZsuU.exeGet hashmaliciousBrowse
                                                                          MrjC4jkPL8.exeGet hashmaliciousBrowse
                                                                            qi3xLxAlDv.exeGet hashmaliciousBrowse
                                                                              Yl6482CO6U.exeGet hashmaliciousBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Temp\BCCB.tmp
                                                                                Process:C:\Users\user\AppData\Roaming\ahafdus
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1622408
                                                                                Entropy (8bit):6.298350783524153
                                                                                Encrypted:false
                                                                                SSDEEP:24576:hNZ04UyDzGrVh8xsPCw3/dzcldJndozS35IW1q/kNVSYVEs4j13HLHGJImdV4q:dGrVr3hclvnqzS35IWk/LvRHb0
                                                                                MD5:BFA689ECA05147AFD466359DD4A144A3
                                                                                SHA1:B3474BE2B836567420F8DC96512AA303F31C8AFC
                                                                                SHA-256:B78463B94388FDDB34C03F5DDDD5D542E05CDED6D4E38C6A3588EC2C90F0070B
                                                                                SHA-512:8F09781FD585A6DFB8BBC34B9F153B414478B44B28D80A8B0BDC3BED687F3ADAB9E60F08CCEC5D5A3FD916E3091C845F9D96603749490B1F7001430408F711D4
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Joe Sandbox View:
                                                                                • Filename: Ed2zaPhzUD.exe, Detection: malicious, Browse
                                                                                • Filename: ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exe, Detection: malicious, Browse
                                                                                • Filename: OcLtW2CNjy.exe, Detection: malicious, Browse
                                                                                • Filename: pub2.exe, Detection: malicious, Browse
                                                                                • Filename: 42sB3Upj67.exe, Detection: malicious, Browse
                                                                                • Filename: RE6WxoVS7v.exe, Detection: malicious, Browse
                                                                                • Filename: VvaBHdJoGY.exe, Detection: malicious, Browse
                                                                                • Filename: 051y0i7M8q.exe, Detection: malicious, Browse
                                                                                • Filename: RdtoOe8Lzj.exe, Detection: malicious, Browse
                                                                                • Filename: MwcrHqpRj7.exe, Detection: malicious, Browse
                                                                                • Filename: jo3GzZMQBG.exe, Detection: malicious, Browse
                                                                                • Filename: main_setup_x86x64.exe, Detection: malicious, Browse
                                                                                • Filename: w4X8dxtGi6.exe, Detection: malicious, Browse
                                                                                • Filename: BrBsL8sBvm.exe, Detection: malicious, Browse
                                                                                • Filename: bL6FwQU4K5.exe, Detection: malicious, Browse
                                                                                • Filename: 3JDjILxXaA.exe, Detection: malicious, Browse
                                                                                • Filename: o8RYFTZsuU.exe, Detection: malicious, Browse
                                                                                • Filename: MrjC4jkPL8.exe, Detection: malicious, Browse
                                                                                • Filename: qi3xLxAlDv.exe, Detection: malicious, Browse
                                                                                • Filename: Yl6482CO6U.exe, Detection: malicious, Browse
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L!y>.@.m.@.m.@.m...l.@.mg$.l.@.mg$.lN@.mg$.l.A.mg$.l.@.mg$.l.@.mg$.m.@.mg$.l.@.mRich.@.m........................PE..L...s<s............!.....,...................P....(K......................................@A.............................&..............8............h...Y.......N..`l..T............................................................................text....).......*.................. ..`RT...........@...................... ..`.data...dW...P.......0..............@....mrdata.h#.......$...>..............@....00cfg...............b..............@..@.rsrc...8............d..............@..@.reloc...N.......P..................@..B........................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\ahafdus
                                                                                Process:C:\Windows\explorer.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):297984
                                                                                Entropy (8bit):5.6203884195953275
                                                                                Encrypted:false
                                                                                SSDEEP:3072:sZCIbJFbQUyeB5cq3Dey3GLtXWxQokuWaPrKrQ1xZB0YWi8y94rMtQiSrX3:sZCYGUyeB57iy3MloRrtxhjtQiSrX3
                                                                                MD5:E3686E4E0ED04A1FD38BB5060CB2441E
                                                                                SHA1:7A6E59E6C01135AB4EC685DC8C6BF7835429C916
                                                                                SHA-256:1D1DBABC1C905C7153847C6BB5B88905942D414C4DBF39E3784DC9A62E1120DB
                                                                                SHA-512:F3D6360449FE4DD742B653EBB7F6E7756D8E1145C9D96564917D23A01CC0F3DC6288B551BCD7727562E20213EC7433820933DD4F3F45B5FF7E7FECE0A8DC4C6B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 45%
                                                                                Reputation:low
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m......m......m.......m.....m..l...m......m......m......m.Rich..m.................PE..L......^............................ .............@..........................`..............................................t2..P........'...................0......................................h*..@...............@............................text............................... ..`.rdata.............................@..@.data...<....@.......&..............@....rsrc....'.......(...B..............@..@.reloc... ...0..."...j..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\ahafdus:Zone.Identifier
                                                                                Process:C:\Windows\explorer.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Reputation:high, very likely benign file
                                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):5.6203884195953275
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:xax2K3BWhm.exe
                                                                                File size:297984
                                                                                MD5:e3686e4e0ed04a1fd38bb5060cb2441e
                                                                                SHA1:7a6e59e6c01135ab4ec685dc8c6bf7835429c916
                                                                                SHA256:1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
                                                                                SHA512:f3d6360449fe4dd742b653ebb7f6e7756d8e1145c9d96564917d23a01cc0f3dc6288b551bcd7727562e20213ec7433820933dd4f3f45b5ff7e7fece0a8dc4c6b
                                                                                SSDEEP:3072:sZCIbJFbQUyeB5cq3Dey3GLtXWxQokuWaPrKrQ1xZB0YWi8y94rMtQiSrX3:sZCYGUyeB57iy3MloRrtxhjtQiSrX3
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............m...m...m.......m.......m.......m.......m...l...m.......m.......m.......m.Rich..m.................PE..L......^...........

                                                                                File Icon

                                                                                Icon Hash:aedaae9ee6a6aaa4

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x401020
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                Time Stamp:0x5E00D3AA [Mon Dec 23 14:48:10 2019 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:1
                                                                                File Version Major:5
                                                                                File Version Minor:1
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:1
                                                                                Import Hash:2ab857f73c9912dee0698f559b75c172

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                call 00007FC5C0D4E54Bh
                                                                                call 00007FC5C0D4DBC6h
                                                                                pop ebp
                                                                                ret
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push FFFFFFFEh
                                                                                push 00432C40h
                                                                                push 004057B0h
                                                                                mov eax, dword ptr fs:[00000000h]
                                                                                push eax
                                                                                add esp, FFFFFF98h
                                                                                push ebx
                                                                                push esi
                                                                                push edi
                                                                                mov eax, dword ptr [00434064h]
                                                                                xor dword ptr [ebp-08h], eax
                                                                                xor eax, ebp
                                                                                push eax
                                                                                lea eax, dword ptr [ebp-10h]
                                                                                mov dword ptr fs:[00000000h], eax
                                                                                mov dword ptr [ebp-18h], esp
                                                                                mov dword ptr [ebp-70h], 00000000h
                                                                                lea eax, dword ptr [ebp-60h]
                                                                                push eax
                                                                                call dword ptr [0042A160h]
                                                                                cmp dword ptr [0321EF38h], 00000000h
                                                                                jne 00007FC5C0D4DBC0h
                                                                                push 00000000h
                                                                                push 00000000h
                                                                                push 00000001h
                                                                                push 00000000h
                                                                                call dword ptr [0042A15Ch]
                                                                                call 00007FC5C0D4DD43h
                                                                                mov dword ptr [ebp-6Ch], eax
                                                                                call 00007FC5C0D5227Bh
                                                                                test eax, eax
                                                                                jne 00007FC5C0D4DBBCh
                                                                                push 0000001Ch
                                                                                call 00007FC5C0D4DD00h
                                                                                add esp, 04h
                                                                                call 00007FC5C0D51BD8h
                                                                                test eax, eax
                                                                                jne 00007FC5C0D4DBBCh
                                                                                push 00000010h
                                                                                call 00007FC5C0D4DCEDh
                                                                                add esp, 04h
                                                                                push 00000001h
                                                                                call 00007FC5C0D51B23h
                                                                                add esp, 04h
                                                                                call 00007FC5C0D4F8FBh
                                                                                mov dword ptr [ebp-04h], 00000000h
                                                                                call 00007FC5C0D4F4DFh
                                                                                test eax, eax

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [LNK] VS2010 build 30319
                                                                                • [ASM] VS2010 build 30319
                                                                                • [ C ] VS2010 build 30319
                                                                                • [C++] VS2010 build 30319
                                                                                • [RES] VS2010 build 30319
                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x332740x50.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e200000x27b0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e230000x1ae0.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2a2900x1c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x32a680x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x240.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x281ab0x28200False0.58144713785data6.88203005979IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x2a0000x9fe80xa000False0.321801757812data4.72565628461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x340000x2debf3c0x1c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x2e200000x27b00x2800False0.765234375data6.4583593165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x2e230000x120900x12200False0.0806438577586data1.03261740787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0x2e200f00x25a8dBase III DBT, version number 0, next free block index 40OriyaIndia
                                                                                RT_GROUP_ICON0x2e226980x14dataOriyaIndia
                                                                                RT_VERSION0x2e226b00x100dataManipuriIndia

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllWriteConsoleInputW, CopyFileExW, TlsGetValue, SetLocalTime, GetDriveTypeW, GetNumberOfConsoleInputEvents, FindResourceExW, MapUserPhysicalPages, InterlockedIncrement, GetQueuedCompletionStatus, GetCommState, InterlockedDecrement, ScrollConsoleScreenBufferW, QueryDosDeviceA, WaitForSingleObject, OpenSemaphoreA, CallNamedPipeW, GetModuleHandleW, GetPrivateProfileStringW, GetConsoleTitleA, FindActCtxSectionStringA, WriteFileGather, CreateDirectoryExW, GetVolumeInformationA, Sleep, GetSystemTimeAdjustment, GlobalFlags, Beep, SetMessageWaitingIndicator, WritePrivateProfileSectionW, IsDBCSLeadByte, ReadFile, CreateFileW, GetBinaryTypeW, GetACP, lstrlenW, VerifyVersionInfoW, CreateDirectoryA, GetStdHandle, OpenMutexW, GetCurrentDirectoryW, FindFirstFileW, GetComputerNameExW, SetVolumeLabelW, WriteProfileSectionA, ReadFileEx, SetComputerNameA, CreateMemoryResourceNotification, GetPrivateProfileStringA, SetFileApisToOEM, GetAtomNameA, Process32FirstW, OpenWaitableTimerW, LocalAlloc, IsSystemResumeAutomatic, SetConsoleOutputCP, AddAtomW, SetCurrentDirectoryW, GetCommMask, SetCommMask, GetPrivateProfileStructA, EnumResourceTypesW, SetConsoleCursorInfo, GetThreadPriority, SetConsoleTitleW, GetModuleHandleA, FreeEnvironmentStringsW, EnumResourceNamesA, BuildCommDCBA, CompareStringA, SetCalendarInfoA, GetVersionExA, GetWindowsDirectoryW, GetCurrentProcessId, InterlockedPushEntrySList, GetProfileSectionW, ResumeThread, LCMapStringW, CloseHandle, SetStdHandle, GetConsoleMode, GetConsoleCP, GetProcAddress, GetFileSize, GetCommandLineW, HeapSetInformation, GetStartupInfoW, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetSystemTimeAsFileTime, DecodePointer, ExitProcess, GetModuleFileNameW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, HeapValidate, IsBadReadPtr, EncodePointer, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetLastError, HeapCreate, WriteFile, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, LoadLibraryW, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, GetStringTypeW, MultiByteToWideChar, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, WideCharToMultiByte, IsProcessorFeaturePresent, RaiseException, SetFilePointer, FlushFileBuffers
                                                                                USER32.dllGetCursorInfo, GetMessageTime, GetMenuBarInfo
                                                                                ADVAPI32.dllInitiateSystemShutdownA

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translations0x37a5 0x013c

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                OriyaIndia

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jun 16, 2021 12:18:18.700192928 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:18.751959085 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:18.752062082 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:18.753031969 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:18.805150986 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:18.806452990 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:18.806902885 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:19.562402964 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:19.562658072 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.639333010 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:22.639816046 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.691668987 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:22.691694021 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:22.691781998 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.692193031 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.697524071 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.754889965 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:22.762758970 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.762794971 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:22.814676046 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:23.381575108 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:23.435425997 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:23.993565083 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:24.044845104 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:24.097034931 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:24.097100019 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:24.097119093 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:24.097157001 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:24.148834944 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:24.148874044 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:24.149008036 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:24.152005911 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.215761900 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.215965986 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.267777920 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.267808914 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.267873049 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.320050001 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.373076916 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.425077915 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.425184011 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.477209091 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.477360964 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:25.683806896 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:25.683904886 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:26.253900051 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:26.256299973 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:26.308178902 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:26.308270931 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:26.360141993 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:26.365590096 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:26.417972088 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:26.418009996 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:26.418129921 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:33.669842005 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:33.669969082 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:33.721764088 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:33.721816063 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:33.721992016 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:33.773736000 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:33.858211994 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:34.714751959 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:34.764482975 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:34.816693068 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:34.816730976 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:34.816806078 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:34.869000912 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:34.869107962 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:34.920892000 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:34.921015024 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:42.425961018 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:42.429559946 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:51.058224916 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:51.109724998 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:18:51.161659956 CEST44349757185.45.192.246192.168.2.4
                                                                                Jun 16, 2021 12:18:51.161906004 CEST49757443192.168.2.4185.45.192.246
                                                                                Jun 16, 2021 12:19:22.628106117 CEST49757443192.168.2.4185.45.192.246

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jun 16, 2021 12:17:19.656229973 CEST6464653192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:19.706969976 CEST53646468.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:19.743155003 CEST6529853192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:19.810436010 CEST53652988.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:19.831348896 CEST5912353192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:19.898724079 CEST53591238.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:20.056612968 CEST5453153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:20.118191004 CEST53545318.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:20.172502995 CEST4971453192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:20.222691059 CEST53497148.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:20.395942926 CEST5802853192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:20.446078062 CEST53580288.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:21.647155046 CEST5309753192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:21.707087040 CEST53530978.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:22.803925991 CEST4925753192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:22.856972933 CEST53492578.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:24.344460964 CEST6238953192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:24.356291056 CEST4991053192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:24.407058954 CEST53623898.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:24.426217079 CEST53499108.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:27.720778942 CEST5585453192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:27.779970884 CEST53558548.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:28.566200972 CEST6454953192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:28.617233038 CEST53645498.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:29.711544991 CEST6315353192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:29.762373924 CEST53631538.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:31.114398003 CEST5299153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:31.170665026 CEST53529918.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:31.914294004 CEST5370053192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:31.970268011 CEST53537008.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:33.093816996 CEST5172653192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:33.144041061 CEST53517268.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:33.893985987 CEST5679453192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:33.947418928 CEST53567948.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:35.765221119 CEST5653453192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:35.816741943 CEST53565348.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:36.541754961 CEST5662753192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:36.592400074 CEST53566278.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:37.660267115 CEST5662153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:37.724587917 CEST53566218.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:38.818027973 CEST6311653192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:38.868201017 CEST53631168.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:39.919960976 CEST6407853192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:39.979248047 CEST53640788.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:41.417524099 CEST6480153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:41.473579884 CEST53648018.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:42.519942999 CEST6172153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:42.578669071 CEST53617218.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:44.798849106 CEST5125553192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:44.848982096 CEST53512558.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:45.694266081 CEST6152253192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:45.747250080 CEST53615228.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:17:54.076277971 CEST5233753192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:17:54.143223047 CEST53523378.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:14.895262957 CEST5504653192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:14.949043989 CEST53550468.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:15.437140942 CEST4961253192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:15.641125917 CEST53496128.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:16.332027912 CEST4928553192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:16.471373081 CEST53492858.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:16.529882908 CEST5060153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:16.605071068 CEST53506018.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:17.120949984 CEST6087553192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:17.183058023 CEST53608758.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:17.690159082 CEST5644853192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:17.751863003 CEST53564488.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:18.392752886 CEST5917253192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:18.460015059 CEST53591728.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:18.631515026 CEST6242053192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:18.697432995 CEST53624208.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:19.038244009 CEST6057953192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:19.097935915 CEST53605798.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:19.798082113 CEST5018353192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:19.857009888 CEST53501838.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:20.976922035 CEST6153153192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:21.041924000 CEST53615318.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:21.965338945 CEST4922853192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:22.025727987 CEST53492288.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:22.585755110 CEST5979453192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:22.644242048 CEST53597948.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:18:32.161355972 CEST5591653192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:18:32.222836018 CEST53559168.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:19:06.238332033 CEST5275253192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:19:06.305054903 CEST53527528.8.8.8192.168.2.4
                                                                                Jun 16, 2021 12:19:12.065867901 CEST6054253192.168.2.48.8.8.8
                                                                                Jun 16, 2021 12:19:12.141135931 CEST53605428.8.8.8192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Jun 16, 2021 12:18:18.631515026 CEST192.168.2.48.8.8.80xb72Standard query (0)hewilldoit.xyzA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Jun 16, 2021 12:18:18.697432995 CEST8.8.8.8192.168.2.40xb72No error (0)hewilldoit.xyz185.45.192.246A (IP address)IN (0x0001)

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: xax2K3BWhm.exe PID: 6992 Parent PID: 6044

                                                                                General

                                                                                Start time:12:17:26
                                                                                Start date:16/06/2021
                                                                                Path:C:\Users\user\Desktop\xax2K3BWhm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\xax2K3BWhm.exe'
                                                                                Imagebase:0x400000
                                                                                File size:297984 bytes
                                                                                MD5 hash:E3686E4E0ED04A1FD38BB5060CB2441E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low

                                                                                Analysis Process: xax2K3BWhm.exe PID: 6136 Parent PID: 6992

                                                                                General

                                                                                Start time:12:17:34
                                                                                Start date:16/06/2021
                                                                                Path:C:\Users\user\Desktop\xax2K3BWhm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\xax2K3BWhm.exe'
                                                                                Imagebase:0x400000
                                                                                File size:297984 bytes
                                                                                MD5 hash:E3686E4E0ED04A1FD38BB5060CB2441E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.715843467.0000000000580000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.715911224.0000000001F61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Analysis Process: explorer.exe PID: 3424 Parent PID: 6136

                                                                                General

                                                                                Start time:12:17:41
                                                                                Start date:16/06/2021
                                                                                Path:C:\Windows\explorer.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                Imagebase:0x7ff6fee60000
                                                                                File size:3933184 bytes
                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: ahafdus PID: 6224 Parent PID: 968

                                                                                General

                                                                                Start time:12:18:19
                                                                                Start date:16/06/2021
                                                                                Path:C:\Users\user\AppData\Roaming\ahafdus
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\ahafdus
                                                                                Imagebase:0x400000
                                                                                File size:297984 bytes
                                                                                MD5 hash:E3686E4E0ED04A1FD38BB5060CB2441E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 45%, ReversingLabs
                                                                                Reputation:low

                                                                                Analysis Process: ahafdus PID: 4832 Parent PID: 6224

                                                                                General

                                                                                Start time:12:18:27
                                                                                Start date:16/06/2021
                                                                                Path:C:\Users\user\AppData\Roaming\ahafdus
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\ahafdus
                                                                                Imagebase:0x400000
                                                                                File size:297984 bytes
                                                                                MD5 hash:E3686E4E0ED04A1FD38BB5060CB2441E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.788412687.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.788476185.0000000000521000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >