Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.9138.5973

Overview

General Information

Sample Name:SecuriteInfo.com.__vbaHresultCheckObj.9138.5973 (renamed file extension from 5973 to exe)
Analysis ID:430702
MD5:6aa873ee68b60704e3d00f5c885a90f7
SHA1:c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
SHA256:32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.__vbaHresultCheckObj.9138.exe (PID: 5452 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • SecuriteInfo.com.__vbaHresultCheckObj.9138.exe (PID: 768 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
      • wscript.exe (PID: 5524 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 4696 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • win.exe (PID: 4976 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 6AA873EE68B60704E3D00F5C885A90F7)
            • win.exe (PID: 4580 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • win.exe (PID: 5864 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • win.exe (PID: 5160 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • win.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • win.exe (PID: 5280 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000010.00000002.540773096.0000000002B40000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000014.00000000.436722263.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000F.00000002.481233554.00000000021F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, ParentProcessId: 768, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 5524

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\win.exeReversingLabs: Detection: 12%
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeVirustotal: Detection: 31%Perma Link
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeReversingLabs: Detection: 12%
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
            Source: global trafficTCP traffic: 192.168.2.5:49719 -> 188.72.110.19:2177
            Source: Joe Sandbox ViewASN Name: TRABIAMD TRABIAMD
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: ztechinternational.com
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350385300.0000000000560000.00000040.00000001.sdmp, win.exe, 00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmp, win.exe, 00000016.00000002.581406039.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binH
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binz

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9AFE NtMapViewOfSection,0_2_020A9AFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,0_2_020A0BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C3 NtWriteVirtualMemory,0_2_020A86C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0703 EnumWindows,NtWriteVirtualMemory,0_2_020A0703
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F4C NtAllocateVirtualMemory,0_2_020A5F4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A95F4 NtProtectVirtualMemory,0_2_020A95F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5224 NtWriteVirtualMemory,0_2_020A5224
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A52C4 NtWriteVirtualMemory,0_2_020A52C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4AE1 NtWriteVirtualMemory,0_2_020A4AE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5310 NtWriteVirtualMemory,0_2_020A5310
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B14 NtMapViewOfSection,0_2_020A9B14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B30 NtMapViewOfSection,0_2_020A9B30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B58 NtMapViewOfSection,0_2_020A9B58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4B5F NtWriteVirtualMemory,0_2_020A4B5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B54 NtMapViewOfSection,0_2_020A9B54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B76 NtMapViewOfSection,0_2_020A9B76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A538C NtWriteVirtualMemory,0_2_020A538C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BB0 NtMapViewOfSection,0_2_020A9BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4BB4 NtWriteVirtualMemory,0_2_020A4BB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A53E8 NtWriteVirtualMemory,0_2_020A53E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BE0 NtMapViewOfSection,0_2_020A9BE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5003 NtWriteVirtualMemory,0_2_020A5003
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A601C NtAllocateVirtualMemory,0_2_020A601C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4834 NtWriteVirtualMemory,0_2_020A4834
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6074 NtAllocateVirtualMemory,0_2_020A6074
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A508A NtWriteVirtualMemory,0_2_020A508A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4880 NtWriteVirtualMemory,0_2_020A4880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A50C0 NtWriteVirtualMemory,0_2_020A50C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A60F4 NtAllocateVirtualMemory,0_2_020A60F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4907 NtWriteVirtualMemory,0_2_020A4907
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5110 NtWriteVirtualMemory,0_2_020A5110
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6138 NtAllocateVirtualMemory,0_2_020A6138
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5168 NtWriteVirtualMemory,0_2_020A5168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4970 NtWriteVirtualMemory,0_2_020A4970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51B0 NtWriteVirtualMemory,0_2_020A51B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49FC NtWriteVirtualMemory,0_2_020A49FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E38 NtWriteVirtualMemory,0_2_020A4E38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A463C NtWriteVirtualMemory,0_2_020A463C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9E6C NtMapViewOfSection,0_2_020A9E6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E78 NtWriteVirtualMemory,0_2_020A4E78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4698 NtWriteVirtualMemory,0_2_020A4698
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4EA7 NtWriteVirtualMemory,0_2_020A4EA7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4ED0 NtWriteVirtualMemory,0_2_020A4ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46E0 NtWriteVirtualMemory,0_2_020A46E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F2C NtWriteVirtualMemory,0_2_020A4F2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8726 NtWriteVirtualMemory,0_2_020A8726
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A473C NtWriteVirtualMemory,0_2_020A473C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F55 NtWriteVirtualMemory,0_2_020A4F55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F79 NtWriteVirtualMemory,0_2_020A4F79
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F80 NtAllocateVirtualMemory,0_2_020A5F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4FAC NtWriteVirtualMemory,0_2_020A4FAC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A47DA NtWriteVirtualMemory,0_2_020A47DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C08 NtMapViewOfSection,0_2_020A9C08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C18 NtMapViewOfSection,0_2_020A9C18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4C44 NtWriteVirtualMemory,0_2_020A4C44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C50 NtMapViewOfSection,0_2_020A9C50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C6C NtMapViewOfSection,0_2_020A9C6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1C7E NtWriteVirtualMemory,0_2_020A1C7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C88 NtMapViewOfSection,0_2_020A9C88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C98 NtMapViewOfSection,0_2_020A9C98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4CA4 NtWriteVirtualMemory,0_2_020A4CA4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CB4 NtMapViewOfSection,0_2_020A9CB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CDC NtMapViewOfSection,0_2_020A9CDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A44FF NtWriteVirtualMemory,0_2_020A44FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CFC NtMapViewOfSection,0_2_020A9CFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5510 NtWriteVirtualMemory,0_2_020A5510
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9D20 NtMapViewOfSection,0_2_020A9D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D36 NtWriteVirtualMemory,0_2_020A4D36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4554 NtWriteVirtualMemory,0_2_020A4554
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D90 NtWriteVirtualMemory,0_2_020A4D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A95AF NtProtectVirtualMemory,0_2_020A95AF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DBB NtWriteVirtualMemory,0_2_020A8DBB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9DBC NtMapViewOfSection,0_2_020A9DBC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4DD4 NtWriteVirtualMemory,0_2_020A4DD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A45F2 NtWriteVirtualMemory,0_2_020A45F2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569AFE NtQueryInformationProcess,7_2_00569AFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560BF8 NtProtectVirtualMemory,7_2_00560BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005695F4 NtProtectVirtualMemory,7_2_005695F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F4C NtAllocateVirtualMemory,7_2_00565F4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566074 NtAllocateVirtualMemory,7_2_00566074
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056601C NtAllocateVirtualMemory,7_2_0056601C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005660F4 NtAllocateVirtualMemory,7_2_005660F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566138 NtAllocateVirtualMemory,7_2_00566138
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B54 NtQueryInformationProcess,7_2_00569B54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B58 NtQueryInformationProcess,7_2_00569B58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B76 NtQueryInformationProcess,7_2_00569B76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B14 NtQueryInformationProcess,7_2_00569B14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B30 NtQueryInformationProcess,7_2_00569B30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BE0 NtQueryInformationProcess,7_2_00569BE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BB0 NtQueryInformationProcess,7_2_00569BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C50 NtQueryInformationProcess,7_2_00569C50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C6C NtQueryInformationProcess,7_2_00569C6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C18 NtQueryInformationProcess,7_2_00569C18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C08 NtQueryInformationProcess,7_2_00569C08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CDC NtQueryInformationProcess,7_2_00569CDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CFC NtQueryInformationProcess,7_2_00569CFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C98 NtQueryInformationProcess,7_2_00569C98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C88 NtQueryInformationProcess,7_2_00569C88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CB4 NtQueryInformationProcess,7_2_00569CB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569D20 NtQueryInformationProcess,7_2_00569D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056158E NtProtectVirtualMemory,7_2_0056158E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005615BC NtProtectVirtualMemory,7_2_005615BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569DBC NtQueryInformationProcess,7_2_00569DBC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005695AF NtProtectVirtualMemory,7_2_005695AF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561670 NtProtectVirtualMemory,7_2_00561670
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569E6C NtQueryInformationProcess,7_2_00569E6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561604 NtProtectVirtualMemory,7_2_00561604
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F80 NtAllocateVirtualMemory,7_2_00565F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9AFE NtResumeThread,15_2_021F9AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0BF8 NtWriteVirtualMemory,TerminateProcess,15_2_021F0BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F86C3 NtWriteVirtualMemory,15_2_021F86C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0703 EnumWindows,NtWriteVirtualMemory,15_2_021F0703
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F4C NtAllocateVirtualMemory,15_2_021F5F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F95F4 NtProtectVirtualMemory,15_2_021F95F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5224 NtWriteVirtualMemory,15_2_021F5224
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F52C4 NtWriteVirtualMemory,15_2_021F52C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4AE1 NtWriteVirtualMemory,15_2_021F4AE1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B14 NtResumeThread,15_2_021F9B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5310 NtWriteVirtualMemory,15_2_021F5310
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B30 NtResumeThread,15_2_021F9B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4B5F NtWriteVirtualMemory,15_2_021F4B5F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B58 NtResumeThread,15_2_021F9B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B54 NtResumeThread,15_2_021F9B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B76 NtResumeThread,15_2_021F9B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F538C NtWriteVirtualMemory,15_2_021F538C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4BB4 NtWriteVirtualMemory,15_2_021F4BB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BB0 NtResumeThread,15_2_021F9BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F53E8 NtWriteVirtualMemory,15_2_021F53E8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BE0 NtResumeThread,15_2_021F9BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F601C NtAllocateVirtualMemory,15_2_021F601C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5003 NtWriteVirtualMemory,15_2_021F5003
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4834 NtWriteVirtualMemory,15_2_021F4834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6074 NtAllocateVirtualMemory,15_2_021F6074
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F508A NtWriteVirtualMemory,15_2_021F508A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4880 NtWriteVirtualMemory,15_2_021F4880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F50C0 NtWriteVirtualMemory,15_2_021F50C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F60F4 NtAllocateVirtualMemory,15_2_021F60F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5110 NtWriteVirtualMemory,15_2_021F5110
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4907 NtWriteVirtualMemory,15_2_021F4907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6138 NtAllocateVirtualMemory,15_2_021F6138
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4970 NtWriteVirtualMemory,15_2_021F4970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5168 NtWriteVirtualMemory,15_2_021F5168
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F51B0 NtWriteVirtualMemory,15_2_021F51B0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F49FC NtWriteVirtualMemory,15_2_021F49FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F463C NtWriteVirtualMemory,15_2_021F463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E38 NtWriteVirtualMemory,15_2_021F4E38
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E78 NtWriteVirtualMemory,15_2_021F4E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9E6C NtResumeThread,15_2_021F9E6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4698 NtWriteVirtualMemory,15_2_021F4698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4EA7 NtWriteVirtualMemory,15_2_021F4EA7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4ED0 NtWriteVirtualMemory,15_2_021F4ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F46E0 NtWriteVirtualMemory,15_2_021F46E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F473C NtWriteVirtualMemory,15_2_021F473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F2C NtWriteVirtualMemory,15_2_021F4F2C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8726 NtWriteVirtualMemory,15_2_021F8726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F55 NtWriteVirtualMemory,15_2_021F4F55
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F79 NtWriteVirtualMemory,15_2_021F4F79
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F80 NtAllocateVirtualMemory,15_2_021F5F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4FAC NtWriteVirtualMemory,15_2_021F4FAC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F47DA NtWriteVirtualMemory,15_2_021F47DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C18 NtResumeThread,15_2_021F9C18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C08 NtResumeThread,15_2_021F9C08
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C50 NtResumeThread,15_2_021F9C50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4C44 NtWriteVirtualMemory,15_2_021F4C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1C7E NtWriteVirtualMemory,15_2_021F1C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C6C NtResumeThread,15_2_021F9C6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C98 NtResumeThread,15_2_021F9C98
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C88 NtResumeThread,15_2_021F9C88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CB4 NtResumeThread,15_2_021F9CB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4CA4 NtWriteVirtualMemory,15_2_021F4CA4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CDC NtResumeThread,15_2_021F9CDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F44FF NtWriteVirtualMemory,15_2_021F44FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CFC NtResumeThread,15_2_021F9CFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5510 NtWriteVirtualMemory,15_2_021F5510
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D36 NtWriteVirtualMemory,15_2_021F4D36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9D20 NtResumeThread,15_2_021F9D20
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4554 NtWriteVirtualMemory,15_2_021F4554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D90 NtWriteVirtualMemory,15_2_021F4D90
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9DBC NtResumeThread,15_2_021F9DBC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DBB NtWriteVirtualMemory,15_2_021F8DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F95AF NtProtectVirtualMemory,15_2_021F95AF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4DD4 NtWriteVirtualMemory,15_2_021F4DD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F45F2 NtWriteVirtualMemory,15_2_021F45F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49AFE NtSetInformationThread,16_2_02B49AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40BF8 NtWriteVirtualMemory,TerminateProcess,16_2_02B40BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B486C3 NtWriteVirtualMemory,16_2_02B486C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40703 EnumWindows,NtWriteVirtualMemory,16_2_02B40703
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45F4C NtAllocateVirtualMemory,16_2_02B45F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B495F4 NtProtectVirtualMemory,16_2_02B495F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44AE1 NtWriteVirtualMemory,16_2_02B44AE1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B452C4 NtWriteVirtualMemory,16_2_02B452C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45224 NtWriteVirtualMemory,16_2_02B45224
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44BB4 NtWriteVirtualMemory,16_2_02B44BB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BB0 NtSetInformationThread,16_2_02B49BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4538C NtWriteVirtualMemory,16_2_02B4538C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BE0 NtSetInformationThread,16_2_02B49BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B453E8 NtWriteVirtualMemory,16_2_02B453E8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B30 NtSetInformationThread,16_2_02B49B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B14 NtSetInformationThread,16_2_02B49B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45310 NtWriteVirtualMemory,16_2_02B45310
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B76 NtSetInformationThread,16_2_02B49B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B54 NtSetInformationThread,16_2_02B49B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44B5F NtWriteVirtualMemory,16_2_02B44B5F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B58 NtSetInformationThread,16_2_02B49B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44880 NtWriteVirtualMemory,16_2_02B44880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4508A NtWriteVirtualMemory,16_2_02B4508A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B460F4 NtAllocateVirtualMemory,16_2_02B460F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B450C0 NtWriteVirtualMemory,16_2_02B450C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44834 NtWriteVirtualMemory,16_2_02B44834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4601C NtAllocateVirtualMemory,16_2_02B4601C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45003 NtWriteVirtualMemory,16_2_02B45003
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B46074 NtAllocateVirtualMemory,16_2_02B46074
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B451B0 NtWriteVirtualMemory,16_2_02B451B0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B449FC NtWriteVirtualMemory,16_2_02B449FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B46138 NtAllocateVirtualMemory,16_2_02B46138
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45110 NtWriteVirtualMemory,16_2_02B45110
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44907 NtWriteVirtualMemory,16_2_02B44907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44970 NtWriteVirtualMemory,16_2_02B44970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45168 NtWriteVirtualMemory,16_2_02B45168
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44EA7 NtWriteVirtualMemory,16_2_02B44EA7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44698 NtWriteVirtualMemory,16_2_02B44698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B446E0 NtWriteVirtualMemory,16_2_02B446E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44ED0 NtWriteVirtualMemory,16_2_02B44ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4463C NtWriteVirtualMemory,16_2_02B4463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44E38 NtWriteVirtualMemory,16_2_02B44E38
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44E78 NtWriteVirtualMemory,16_2_02B44E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49E6C NtSetInformationThread,16_2_02B49E6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44FAC NtWriteVirtualMemory,16_2_02B44FAC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45F80 NtAllocateVirtualMemory,16_2_02B45F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B447DA NtWriteVirtualMemory,16_2_02B447DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4473C NtWriteVirtualMemory,16_2_02B4473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48726 NtWriteVirtualMemory,16_2_02B48726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F2C NtWriteVirtualMemory,16_2_02B44F2C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F79 NtWriteVirtualMemory,16_2_02B44F79
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F55 NtWriteVirtualMemory,16_2_02B44F55
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CB4 NtSetInformationThread,16_2_02B49CB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44CA4 NtWriteVirtualMemory,16_2_02B44CA4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C98 NtSetInformationThread,16_2_02B49C98
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C88 NtSetInformationThread,16_2_02B49C88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CFC NtSetInformationThread,16_2_02B49CFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B444FF NtWriteVirtualMemory,16_2_02B444FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CDC NtSetInformationThread,16_2_02B49CDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C18 NtSetInformationThread,16_2_02B49C18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C08 NtSetInformationThread,16_2_02B49C08
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41C7E NtWriteVirtualMemory,16_2_02B41C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C6C NtSetInformationThread,16_2_02B49C6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C50 NtSetInformationThread,16_2_02B49C50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44C44 NtWriteVirtualMemory,16_2_02B44C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49DBC NtSetInformationThread,16_2_02B49DBC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48DBB NtWriteVirtualMemory,16_2_02B48DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B495AF NtProtectVirtualMemory,16_2_02B495AF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44D90 NtWriteVirtualMemory,16_2_02B44D90
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B445F2 NtWriteVirtualMemory,16_2_02B445F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44DD4 NtWriteVirtualMemory,16_2_02B44DD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44D36 NtWriteVirtualMemory,16_2_02B44D36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49D20 NtSetInformationThread,16_2_02B49D20
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45510 NtWriteVirtualMemory,16_2_02B45510
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44554 NtWriteVirtualMemory,16_2_02B44554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9AFE NtSetInformationThread,17_2_020A9AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,17_2_020A0BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A86C3 NtWriteVirtualMemory,17_2_020A86C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0703 EnumWindows,NtWriteVirtualMemory,17_2_020A0703
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5F4C NtAllocateVirtualMemory,17_2_020A5F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A95F4 NtProtectVirtualMemory,17_2_020A95F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5224 NtWriteVirtualMemory,17_2_020A5224
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A52C4 NtWriteVirtualMemory,17_2_020A52C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4AE1 NtWriteVirtualMemory,17_2_020A4AE1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5310 NtWriteVirtualMemory,17_2_020A5310
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B14 NtSetInformationThread,17_2_020A9B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B30 NtSetInformationThread,17_2_020A9B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B58 NtSetInformationThread,17_2_020A9B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4B5F NtWriteVirtualMemory,17_2_020A4B5F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B54 NtSetInformationThread,17_2_020A9B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B76 NtSetInformationThread,17_2_020A9B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A538C NtWriteVirtualMemory,17_2_020A538C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9BB0 NtSetInformationThread,17_2_020A9BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4BB4 NtWriteVirtualMemory,17_2_020A4BB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A53E8 NtWriteVirtualMemory,17_2_020A53E8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9BE0 NtSetInformationThread,17_2_020A9BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5003 NtWriteVirtualMemory,17_2_020A5003
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A601C NtAllocateVirtualMemory,17_2_020A601C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4834 NtWriteVirtualMemory,17_2_020A4834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A6074 NtAllocateVirtualMemory,17_2_020A6074
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A508A NtWriteVirtualMemory,17_2_020A508A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4880 NtWriteVirtualMemory,17_2_020A4880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A50C0 NtWriteVirtualMemory,17_2_020A50C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A60F4 NtAllocateVirtualMemory,17_2_020A60F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4907 NtWriteVirtualMemory,17_2_020A4907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5110 NtWriteVirtualMemory,17_2_020A5110
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A6138 NtAllocateVirtualMemory,17_2_020A6138
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5168 NtWriteVirtualMemory,17_2_020A5168
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4970 NtWriteVirtualMemory,17_2_020A4970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A51B0 NtWriteVirtualMemory,17_2_020A51B0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A49FC NtWriteVirtualMemory,17_2_020A49FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4E38 NtWriteVirtualMemory,17_2_020A4E38
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A463C NtWriteVirtualMemory,17_2_020A463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9E6C NtSetInformationThread,17_2_020A9E6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4E78 NtWriteVirtualMemory,17_2_020A4E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4698 NtWriteVirtualMemory,17_2_020A4698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4EA7 NtWriteVirtualMemory,17_2_020A4EA7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4ED0 NtWriteVirtualMemory,17_2_020A4ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A46E0 NtWriteVirtualMemory,17_2_020A46E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F2C NtWriteVirtualMemory,17_2_020A4F2C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8726 NtWriteVirtualMemory,17_2_020A8726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A473C NtWriteVirtualMemory,17_2_020A473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F55 NtWriteVirtualMemory,17_2_020A4F55
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F79 NtWriteVirtualMemory,17_2_020A4F79
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5F80 NtAllocateVirtualMemory,17_2_020A5F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4FAC NtWriteVirtualMemory,17_2_020A4FAC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A47DA NtWriteVirtualMemory,17_2_020A47DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C08 NtSetInformationThread,17_2_020A9C08
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C18 NtSetInformationThread,17_2_020A9C18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4C44 NtWriteVirtualMemory,17_2_020A4C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C50 NtSetInformationThread,17_2_020A9C50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C6C NtSetInformationThread,17_2_020A9C6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1C7E NtWriteVirtualMemory,17_2_020A1C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C88 NtSetInformationThread,17_2_020A9C88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C98 NtSetInformationThread,17_2_020A9C98
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4CA4 NtWriteVirtualMemory,17_2_020A4CA4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CB4 NtSetInformationThread,17_2_020A9CB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CDC NtSetInformationThread,17_2_020A9CDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A44FF NtWriteVirtualMemory,17_2_020A44FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CFC NtSetInformationThread,17_2_020A9CFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5510 NtWriteVirtualMemory,17_2_020A5510
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9D20 NtSetInformationThread,17_2_020A9D20
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4D36 NtWriteVirtualMemory,17_2_020A4D36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4554 NtWriteVirtualMemory,17_2_020A4554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4D90 NtWriteVirtualMemory,17_2_020A4D90
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A95AF NtProtectVirtualMemory,17_2_020A95AF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8DBB NtWriteVirtualMemory,17_2_020A8DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9DBC NtSetInformationThread,17_2_020A9DBC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4DD4 NtWriteVirtualMemory,17_2_020A4DD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A45F2 NtWriteVirtualMemory,17_2_020A45F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569AFE NtSetInformationThread,21_2_00569AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560BF8 NtProtectVirtualMemory,21_2_00560BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005695F4 NtProtectVirtualMemory,21_2_005695F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00565F4C NtAllocateVirtualMemory,21_2_00565F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00566074 NtAllocateVirtualMemory,21_2_00566074
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056601C NtAllocateVirtualMemory,21_2_0056601C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005660F4 NtAllocateVirtualMemory,21_2_005660F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00566138 NtAllocateVirtualMemory,21_2_00566138
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B54 NtSetInformationThread,21_2_00569B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B58 NtSetInformationThread,21_2_00569B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B76 NtSetInformationThread,21_2_00569B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B14 NtSetInformationThread,21_2_00569B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B30 NtSetInformationThread,21_2_00569B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569BE0 NtSetInformationThread,21_2_00569BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569BB0 NtSetInformationThread,21_2_00569BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C50 NtSetInformationThread,21_2_00569C50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C6C NtSetInformationThread,21_2_00569C6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C18 NtSetInformationThread,21_2_00569C18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C08 NtSetInformationThread,21_2_00569C08
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CDC NtSetInformationThread,21_2_00569CDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CFC NtSetInformationThread,21_2_00569CFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C98 NtSetInformationThread,21_2_00569C98
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C88 NtSetInformationThread,21_2_00569C88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CB4 NtSetInformationThread,21_2_00569CB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569D20 NtSetInformationThread,21_2_00569D20
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056158E NtProtectVirtualMemory,21_2_0056158E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005615BC NtProtectVirtualMemory,21_2_005615BC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569DBC NtSetInformationThread,21_2_00569DBC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005695AF NtProtectVirtualMemory,21_2_005695AF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561670 NtProtectVirtualMemory,21_2_00561670
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569E6C NtSetInformationThread,21_2_00569E6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561604 NtProtectVirtualMemory,21_2_00561604
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00565F80 NtAllocateVirtualMemory,21_2_00565F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560BF8 NtProtectVirtualMemory,22_2_00560BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005695F4 NtProtectVirtualMemory,22_2_005695F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565F4C NtAllocateVirtualMemory,22_2_00565F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566074 NtAllocateVirtualMemory,22_2_00566074
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056601C NtAllocateVirtualMemory,22_2_0056601C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005660F4 NtAllocateVirtualMemory,22_2_005660F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566138 NtAllocateVirtualMemory,22_2_00566138
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056158E NtProtectVirtualMemory,22_2_0056158E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005615BC NtProtectVirtualMemory,22_2_005615BC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005695AF NtProtectVirtualMemory,22_2_005695AF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561670 NtProtectVirtualMemory,22_2_00561670
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561604 NtProtectVirtualMemory,22_2_00561604
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565F80 NtAllocateVirtualMemory,22_2_00565F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile created: C:\Windows\Lwo7Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9AFE0_2_020A9AFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF80_2_020A0BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C30_2_020A86C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A07030_2_020A0703
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F4C0_2_020A5F4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12100_2_020A1210
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A52240_2_020A5224
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A490_2_020A3A49
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12590_2_020A1259
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A5D0_2_020A2A5D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A500_2_020A2A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A800_2_020A3A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12860_2_020A1286
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12A40_2_020A12A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AC00_2_020A2AC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A52C40_2_020A52C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A92D40_2_020A92D4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3AEC0_2_020A3AEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12E00_2_020A12E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4AE10_2_020A4AE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AF40_2_020A2AF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A131B0_2_020A131B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A53100_2_020A5310
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B140_2_020A9B14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B300_2_020A9B30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13310_2_020A1331
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B340_2_020A2B34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03350_2_020A0335
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13480_2_020A1348
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3B440_2_020A3B44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B580_2_020A9B58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4B5F0_2_020A4B5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A135C0_2_020A135C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B540_2_020A9B54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03780_2_020A0378
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B760_2_020A9B76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A538C0_2_020A538C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B840_2_020A2B84
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03A80_2_020A03A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3BA00_2_020A3BA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BB00_2_020A9BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13B40_2_020A13B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4BB40_2_020A4BB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2BD40_2_020A2BD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A53E80_2_020A53E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BE00_2_020A9BE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03E40_2_020A03E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3BF80_2_020A3BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A50030_2_020A5003
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A90180_2_020A9018
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A101C0_2_020A101C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A082F0_2_020A082F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A083C0_2_020A083C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A48340_2_020A4834
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A90480_2_020A9048
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A305C0_2_020A305C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A90560_2_020A9056
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A10780_2_020A1078
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A508A0_2_020A508A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A08800_2_020A0880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A48800_2_020A4880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A109C0_2_020A109C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A50C00_2_020A50C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A08D00_2_020A08D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49070_2_020A4907
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51100_2_020A5110
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A41160_2_020A4116
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A09240_2_020A0924
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A11240_2_020A1124
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A113F0_2_020A113F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51680_2_020A5168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A11630_2_020A1163
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49700_2_020A4970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A19A90_2_020A19A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A19BC0_2_020A19BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51B00_2_020A51B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49FC0_2_020A49FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A69F70_2_020A69F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E240_2_020A0E24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E380_2_020A4E38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A463C0_2_020A463C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A664C0_2_020A664C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8E540_2_020A8E54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E780_2_020A4E78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E700_2_020A0E70
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46980_2_020A4698
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2E960_2_020A2E96
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A66940_2_020A6694
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A36AA0_2_020A36AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4EA70_2_020A4EA7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8EB00_2_020A8EB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4ED00_2_020A4ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A66EC0_2_020A66EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46E00_2_020A46E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F040_2_020A0F04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2F180_2_020A2F18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F2C0_2_020A4F2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A87260_2_020A8726
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A473C0_2_020A473C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8F340_2_020A8F34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F500_2_020A0F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F550_2_020A4F55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F790_2_020A4F79
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8F7C0_2_020A8F7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F740_2_020A0F74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3F88