Analysis Report SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664 (renamed file extension from 17664 to exe)
Analysis ID: 430707
MD5: 853744502b68e50e6cbaf81ffb3f5cc0
SHA1: ea748baebe70d7c6d3da9d1a2a34b76051425962
SHA256: 8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin"}
Yara detected Remcos RAT
Source: Yara match File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005698CB LoadLibraryA,InternetReadFile, 24_2_005698CB
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ztechinternational.com
Source: win.exe, 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, win.exe, 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp String found in binary or memory: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9417 NtProtectVirtualMemory, 0_2_020B9417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CB3 NtAllocateVirtualMemory, 0_2_020B5CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98CB LoadLibraryA,NtResumeThread, 0_2_020B98CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A03 NtResumeThread, 0_2_020B9A03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A2F NtResumeThread, 0_2_020B9A2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A27 NtWriteVirtualMemory, 0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4638 NtWriteVirtualMemory, 0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3E30 NtWriteVirtualMemory, 0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5230 NtWriteVirtualMemory, 0_2_020B5230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E36 NtWriteVirtualMemory, 0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A41 NtResumeThread, 0_2_020B9A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5E47 NtAllocateVirtualMemory, 0_2_020B5E47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A57 NtResumeThread, 0_2_020B9A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B7E78 NtWriteVirtualMemory, 0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A73 NtWriteVirtualMemory, 0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A74 NtResumeThread, 0_2_020B9A74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B528D NtWriteVirtualMemory, 0_2_020B528D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A87 NtWriteVirtualMemory, 0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E99 NtWriteVirtualMemory, 0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9A95 NtResumeThread, 0_2_020B9A95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4694 NtWriteVirtualMemory, 0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5EA8 NtAllocateVirtualMemory, 0_2_020B5EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9AAF NtResumeThread, 0_2_020B9AAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4AA0 NtWriteVirtualMemory, 0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B46D3 NtWriteVirtualMemory, 0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1ED7 NtWriteVirtualMemory, 0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9AEC NtResumeThread, 0_2_020B9AEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2B01 NtWriteVirtualMemory, 0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B00 NtWriteVirtualMemory, 0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4F14 NtWriteVirtualMemory, 0_2_020B4F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B2D NtWriteVirtualMemory, 0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B25 NtWriteVirtualMemory, 0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9B4B NtResumeThread, 0_2_020B9B4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B5C NtWriteVirtualMemory, 0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4F8C NtWriteVirtualMemory, 0_2_020B4F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9B83 NtResumeThread, 0_2_020B9B83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4797 NtWriteVirtualMemory, 0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4FB8 NtWriteVirtualMemory, 0_2_020B4FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8BBE NtWriteVirtualMemory, 0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4BB0 NtWriteVirtualMemory, 0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9BCB NtResumeThread, 0_2_020B9BCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B93CD NtProtectVirtualMemory, 0_2_020B93CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B47F4 NtWriteVirtualMemory, 0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C16 NtWriteVirtualMemory, 0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9C14 NtResumeThread, 0_2_020B9C14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5023 NtWriteVirtualMemory, 0_2_020B5023
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4847 NtWriteVirtualMemory, 0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C68 NtWriteVirtualMemory, 0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B506F NtWriteVirtualMemory, 0_2_020B506F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4899 NtWriteVirtualMemory, 0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B44CF NtWriteVirtualMemory, 0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B50C5 NtWriteVirtualMemory, 0_2_020B50C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CD9 NtAllocateVirtualMemory, 0_2_020B5CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98D8 NtResumeThread, 0_2_020B98D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B48E3 NtWriteVirtualMemory, 0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4CE4 NtWriteVirtualMemory, 0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CE4 NtAllocateVirtualMemory, 0_2_020B5CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B60FA NtWriteVirtualMemory, 0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98F3 NtResumeThread, 0_2_020B98F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D2A NtWriteVirtualMemory, 0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5D21 NtAllocateVirtualMemory, 0_2_020B5D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4520 NtWriteVirtualMemory, 0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9933 NtResumeThread, 0_2_020B9933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4948 NtWriteVirtualMemory, 0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5146 NtWriteVirtualMemory, 0_2_020B5146
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B995D NtResumeThread, 0_2_020B995D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9951 NtResumeThread, 0_2_020B9951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B996E NtResumeThread, 0_2_020B996E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5D71 NtAllocateVirtualMemory, 0_2_020B5D71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4570 NtWriteVirtualMemory, 0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B518F NtWriteVirtualMemory, 0_2_020B518F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D83 NtWriteVirtualMemory, 0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4985 NtWriteVirtualMemory, 0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B999B NtResumeThread, 0_2_020B999B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5D90 NtAllocateVirtualMemory, 0_2_020B5D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5DAD NtAllocateVirtualMemory, 0_2_020B5DAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45B5 NtWriteVirtualMemory, 0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B51C7 NtWriteVirtualMemory, 0_2_020B51C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4DE9 NtWriteVirtualMemory, 0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5DE9 NtAllocateVirtualMemory, 0_2_020B5DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B99E9 NtResumeThread, 0_2_020B99E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E0 NtWriteVirtualMemory, 0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E4 NtWriteVirtualMemory, 0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45F9 NtWriteVirtualMemory, 0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B49F4 NtWriteVirtualMemory, 0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9417 NtProtectVirtualMemory, 16_2_020B9417
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CB3 NtAllocateVirtualMemory, 16_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98CB LoadLibraryA,NtUnmapViewOfSection, 16_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A03 NtUnmapViewOfSection, 16_2_020B9A03
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A2F NtUnmapViewOfSection, 16_2_020B9A2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A27 NtWriteVirtualMemory, 16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4638 NtWriteVirtualMemory, 16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3E30 NtWriteVirtualMemory, 16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5230 NtWriteVirtualMemory, 16_2_020B5230
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E36 NtWriteVirtualMemory, 16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A41 NtUnmapViewOfSection, 16_2_020B9A41
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5E47 NtAllocateVirtualMemory, 16_2_020B5E47
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A57 NtUnmapViewOfSection, 16_2_020B9A57
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B7E78 NtWriteVirtualMemory, 16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A73 NtWriteVirtualMemory, 16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A74 NtUnmapViewOfSection, 16_2_020B9A74
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B528D NtWriteVirtualMemory, 16_2_020B528D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A87 NtWriteVirtualMemory, 16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E99 NtWriteVirtualMemory, 16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9A95 NtUnmapViewOfSection, 16_2_020B9A95
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4694 NtWriteVirtualMemory, 16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5EA8 NtAllocateVirtualMemory, 16_2_020B5EA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9AAF NtUnmapViewOfSection, 16_2_020B9AAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4AA0 NtWriteVirtualMemory, 16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B46D3 NtWriteVirtualMemory, 16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1ED7 NtWriteVirtualMemory, 16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9AEC NtUnmapViewOfSection, 16_2_020B9AEC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2B01 NtWriteVirtualMemory, 16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B00 NtWriteVirtualMemory, 16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4F14 NtWriteVirtualMemory, 16_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B2D NtWriteVirtualMemory, 16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B25 NtWriteVirtualMemory, 16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9B4B NtUnmapViewOfSection, 16_2_020B9B4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B5C NtWriteVirtualMemory, 16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4F8C NtWriteVirtualMemory, 16_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9B83 NtUnmapViewOfSection, 16_2_020B9B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4797 NtWriteVirtualMemory, 16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4FB8 NtWriteVirtualMemory, 16_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8BBE NtWriteVirtualMemory, 16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4BB0 NtWriteVirtualMemory, 16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9BCB NtUnmapViewOfSection, 16_2_020B9BCB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B93CD NtProtectVirtualMemory, 16_2_020B93CD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B47F4 NtWriteVirtualMemory, 16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C16 NtWriteVirtualMemory, 16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9C14 NtUnmapViewOfSection, 16_2_020B9C14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5023 NtWriteVirtualMemory, 16_2_020B5023
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4847 NtWriteVirtualMemory, 16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C68 NtWriteVirtualMemory, 16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B506F NtWriteVirtualMemory, 16_2_020B506F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4899 NtWriteVirtualMemory, 16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B44CF NtWriteVirtualMemory, 16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B50C5 NtWriteVirtualMemory, 16_2_020B50C5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CD9 NtAllocateVirtualMemory, 16_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98D8 NtUnmapViewOfSection, 16_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B48E3 NtWriteVirtualMemory, 16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4CE4 NtWriteVirtualMemory, 16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CE4 NtAllocateVirtualMemory, 16_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B60FA NtWriteVirtualMemory, 16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98F3 NtUnmapViewOfSection, 16_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D2A NtWriteVirtualMemory, 16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5D21 NtAllocateVirtualMemory, 16_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4520 NtWriteVirtualMemory, 16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9933 NtUnmapViewOfSection, 16_2_020B9933
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4948 NtWriteVirtualMemory, 16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5146 NtWriteVirtualMemory, 16_2_020B5146
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B995D NtUnmapViewOfSection, 16_2_020B995D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9951 NtUnmapViewOfSection, 16_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B996E NtUnmapViewOfSection, 16_2_020B996E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5D71 NtAllocateVirtualMemory, 16_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4570 NtWriteVirtualMemory, 16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B518F NtWriteVirtualMemory, 16_2_020B518F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D83 NtWriteVirtualMemory, 16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4985 NtWriteVirtualMemory, 16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B999B NtUnmapViewOfSection, 16_2_020B999B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5D90 NtAllocateVirtualMemory, 16_2_020B5D90
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5DAD NtAllocateVirtualMemory, 16_2_020B5DAD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45B5 NtWriteVirtualMemory, 16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B51C7 NtWriteVirtualMemory, 16_2_020B51C7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4DE9 NtWriteVirtualMemory, 16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5DE9 NtAllocateVirtualMemory, 16_2_020B5DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B99E9 NtUnmapViewOfSection, 16_2_020B99E9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E0 NtWriteVirtualMemory, 16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E4 NtWriteVirtualMemory, 16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45F9 NtWriteVirtualMemory, 16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B49F4 NtWriteVirtualMemory, 16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9417 NtProtectVirtualMemory, 17_2_007A9417
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98CB LoadLibraryA,NtMapViewOfSection, 17_2_007A98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CB3 NtAllocateVirtualMemory, 17_2_007A5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA, 17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C68 NtWriteVirtualMemory, 17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A506F NtWriteVirtualMemory, 17_2_007A506F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4847 NtWriteVirtualMemory, 17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5023 NtWriteVirtualMemory, 17_2_007A5023
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C16 NtWriteVirtualMemory, 17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9C14 NtMapViewOfSection, 17_2_007A9C14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A60FA NtWriteVirtualMemory, 17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA, 17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98F3 NtMapViewOfSection, 17_2_007A98F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A48E3 NtWriteVirtualMemory, 17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4CE4 NtWriteVirtualMemory, 17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CE4 NtAllocateVirtualMemory, 17_2_007A5CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98D8 NtMapViewOfSection, 17_2_007A98D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CD9 NtAllocateVirtualMemory, 17_2_007A5CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A44CF NtWriteVirtualMemory, 17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A50C5 NtWriteVirtualMemory, 17_2_007A50C5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4899 NtWriteVirtualMemory, 17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4570 NtWriteVirtualMemory, 17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5D71 NtAllocateVirtualMemory, 17_2_007A5D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A996E NtMapViewOfSection, 17_2_007A996E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A995D NtMapViewOfSection, 17_2_007A995D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9951 NtMapViewOfSection, 17_2_007A9951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4948 NtWriteVirtualMemory, 17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5146 NtWriteVirtualMemory, 17_2_007A5146
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9933 NtMapViewOfSection, 17_2_007A9933
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D2A NtWriteVirtualMemory, 17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4520 NtWriteVirtualMemory, 17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5D21 NtAllocateVirtualMemory, 17_2_007A5D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45F9 NtWriteVirtualMemory, 17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A49F4 NtWriteVirtualMemory, 17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4DE9 NtWriteVirtualMemory, 17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5DE9 NtAllocateVirtualMemory, 17_2_007A5DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A99E9 NtMapViewOfSection, 17_2_007A99E9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E0 NtWriteVirtualMemory, 17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E4 NtWriteVirtualMemory, 17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A51C7 NtWriteVirtualMemory, 17_2_007A51C7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45B5 NtWriteVirtualMemory, 17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5DAD NtAllocateVirtualMemory, 17_2_007A5DAD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A999B NtMapViewOfSection, 17_2_007A999B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5D90 NtAllocateVirtualMemory, 17_2_007A5D90
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A518F NtWriteVirtualMemory, 17_2_007A518F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D83 NtWriteVirtualMemory, 17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4985 NtWriteVirtualMemory, 17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A7E78 NtWriteVirtualMemory, 17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A73 NtWriteVirtualMemory, 17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A74 NtMapViewOfSection, 17_2_007A9A74
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A57 NtMapViewOfSection, 17_2_007A9A57
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A41 NtMapViewOfSection, 17_2_007A9A41
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5E47 NtAllocateVirtualMemory, 17_2_007A5E47
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4638 NtWriteVirtualMemory, 17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3E30 NtWriteVirtualMemory, 17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5230 NtWriteVirtualMemory, 17_2_007A5230
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E36 NtWriteVirtualMemory, 17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A2F NtMapViewOfSection, 17_2_007A9A2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A27 NtWriteVirtualMemory, 17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A03 NtMapViewOfSection, 17_2_007A9A03
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9AEC NtMapViewOfSection, 17_2_007A9AEC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A46D3 NtWriteVirtualMemory, 17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1ED7 NtWriteVirtualMemory, 17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5EA8 NtAllocateVirtualMemory, 17_2_007A5EA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9AAF NtMapViewOfSection, 17_2_007A9AAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4AA0 NtWriteVirtualMemory, 17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E99 NtWriteVirtualMemory, 17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4694 NtWriteVirtualMemory, 17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9A95 NtMapViewOfSection, 17_2_007A9A95
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A528D NtWriteVirtualMemory, 17_2_007A528D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A87 NtWriteVirtualMemory, 17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B5C NtWriteVirtualMemory, 17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9B4B NtMapViewOfSection, 17_2_007A9B4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA, 17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B2D NtWriteVirtualMemory, 17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B25 NtWriteVirtualMemory, 17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4F14 NtWriteVirtualMemory, 17_2_007A4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B00 NtWriteVirtualMemory, 17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2B01 NtWriteVirtualMemory, 17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A47F4 NtWriteVirtualMemory, 17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9BCB NtMapViewOfSection, 17_2_007A9BCB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A93CD NtProtectVirtualMemory, 17_2_007A93CD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4FB8 NtWriteVirtualMemory, 17_2_007A4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8BBE NtWriteVirtualMemory, 17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4BB0 NtWriteVirtualMemory, 17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4797 NtWriteVirtualMemory, 17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4F8C NtWriteVirtualMemory, 17_2_007A4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9B83 NtMapViewOfSection, 17_2_007A9B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9417 NtProtectVirtualMemory, 18_2_020B9417
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5CB3 NtAllocateVirtualMemory, 18_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B98CB LoadLibraryA,NtSetInformationThread, 18_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A03 NtSetInformationThread, 18_2_020B9A03
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A2F NtSetInformationThread, 18_2_020B9A2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A27 NtWriteVirtualMemory, 18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4638 NtWriteVirtualMemory, 18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3E30 NtWriteVirtualMemory, 18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5230 NtWriteVirtualMemory, 18_2_020B5230
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E36 NtWriteVirtualMemory, 18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A41 NtSetInformationThread, 18_2_020B9A41
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5E47 NtAllocateVirtualMemory, 18_2_020B5E47
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A57 NtSetInformationThread, 18_2_020B9A57
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B7E78 NtWriteVirtualMemory, 18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A73 NtWriteVirtualMemory, 18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A74 NtSetInformationThread, 18_2_020B9A74
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B528D NtWriteVirtualMemory, 18_2_020B528D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A87 NtWriteVirtualMemory, 18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E99 NtWriteVirtualMemory, 18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9A95 NtSetInformationThread, 18_2_020B9A95
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4694 NtWriteVirtualMemory, 18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5EA8 NtAllocateVirtualMemory, 18_2_020B5EA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9AAF NtSetInformationThread, 18_2_020B9AAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4AA0 NtWriteVirtualMemory, 18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B46D3 NtWriteVirtualMemory, 18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1ED7 NtWriteVirtualMemory, 18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9AEC NtSetInformationThread, 18_2_020B9AEC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2B01 NtWriteVirtualMemory, 18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B00 NtWriteVirtualMemory, 18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4F14 NtWriteVirtualMemory, 18_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B2D NtWriteVirtualMemory, 18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B25 NtWriteVirtualMemory, 18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9B4B NtSetInformationThread, 18_2_020B9B4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B5C NtWriteVirtualMemory, 18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4F8C NtWriteVirtualMemory, 18_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9B83 NtSetInformationThread, 18_2_020B9B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4797 NtWriteVirtualMemory, 18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4FB8 NtWriteVirtualMemory, 18_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8BBE NtWriteVirtualMemory, 18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4BB0 NtWriteVirtualMemory, 18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9BCB NtSetInformationThread, 18_2_020B9BCB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B93CD NtProtectVirtualMemory, 18_2_020B93CD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B47F4 NtWriteVirtualMemory, 18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C16 NtWriteVirtualMemory, 18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9C14 NtSetInformationThread, 18_2_020B9C14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5023 NtWriteVirtualMemory, 18_2_020B5023
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4847 NtWriteVirtualMemory, 18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C68 NtWriteVirtualMemory, 18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B506F NtWriteVirtualMemory, 18_2_020B506F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4899 NtWriteVirtualMemory, 18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B44CF NtWriteVirtualMemory, 18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B50C5 NtWriteVirtualMemory, 18_2_020B50C5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5CD9 NtAllocateVirtualMemory, 18_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B98D8 NtSetInformationThread, 18_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B48E3 NtWriteVirtualMemory, 18_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4CE4 NtWriteVirtualMemory, 18_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5CE4 NtAllocateVirtualMemory, 18_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B60FA NtWriteVirtualMemory, 18_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 18_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B98F3 NtSetInformationThread, 18_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4D2A NtWriteVirtualMemory, 18_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5D21 NtAllocateVirtualMemory, 18_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4520 NtWriteVirtualMemory, 18_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9933 NtSetInformationThread, 18_2_020B9933
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4948 NtWriteVirtualMemory, 18_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5146 NtWriteVirtualMemory, 18_2_020B5146
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B995D NtSetInformationThread, 18_2_020B995D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B9951 NtSetInformationThread, 18_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B996E NtSetInformationThread, 18_2_020B996E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5D71 NtAllocateVirtualMemory, 18_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4570 NtWriteVirtualMemory, 18_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B518F NtWriteVirtualMemory, 18_2_020B518F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4D83 NtWriteVirtualMemory, 18_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4985 NtWriteVirtualMemory, 18_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B999B NtSetInformationThread, 18_2_020B999B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5D90 NtAllocateVirtualMemory, 18_2_020B5D90
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5DAD NtAllocateVirtualMemory, 18_2_020B5DAD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45B5 NtWriteVirtualMemory, 18_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B51C7 NtWriteVirtualMemory, 18_2_020B51C7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4DE9 NtWriteVirtualMemory, 18_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5DE9 NtAllocateVirtualMemory, 18_2_020B5DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B99E9 NtSetInformationThread, 18_2_020B99E9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45E0 NtWriteVirtualMemory, 18_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45E4 NtWriteVirtualMemory, 18_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45F9 NtWriteVirtualMemory, 18_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B49F4 NtWriteVirtualMemory, 18_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569417 NtProtectVirtualMemory, 22_2_00569417
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005698CB LoadLibraryA,NtSetInformationThread, 22_2_005698CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565CB3 NtAllocateVirtualMemory, 22_2_00565CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory, 22_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569C14 NtSetInformationThread, 22_2_00569C14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005698D8 NtSetInformationThread, 22_2_005698D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565CD9 NtAllocateVirtualMemory, 22_2_00565CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005698F3 NtSetInformationThread, 22_2_005698F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565CE4 NtAllocateVirtualMemory, 22_2_00565CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569951 NtSetInformationThread, 22_2_00569951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056995D NtSetInformationThread, 22_2_0056995D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565D71 NtAllocateVirtualMemory, 22_2_00565D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056996E NtSetInformationThread, 22_2_0056996E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569933 NtSetInformationThread, 22_2_00569933
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565D21 NtAllocateVirtualMemory, 22_2_00565D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565DE9 NtAllocateVirtualMemory, 22_2_00565DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005699E9 NtSetInformationThread, 22_2_005699E9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565D90 NtAllocateVirtualMemory, 22_2_00565D90
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056999B NtSetInformationThread, 22_2_0056999B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565DAD NtAllocateVirtualMemory, 22_2_00565DAD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A57 NtSetInformationThread, 22_2_00569A57
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565E47 NtAllocateVirtualMemory, 22_2_00565E47
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A41 NtSetInformationThread, 22_2_00569A41
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A74 NtSetInformationThread, 22_2_00569A74
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056166C NtProtectVirtualMemory, 22_2_0056166C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561614 NtProtectVirtualMemory, 22_2_00561614
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056161B NtProtectVirtualMemory, 22_2_0056161B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A03 NtSetInformationThread, 22_2_00569A03
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A2F NtSetInformationThread, 22_2_00569A2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005616DF NtProtectVirtualMemory, 22_2_005616DF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569AEC NtSetInformationThread, 22_2_00569AEC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569A95 NtSetInformationThread, 22_2_00569A95
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569AAF NtSetInformationThread, 22_2_00569AAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565EA8 NtAllocateVirtualMemory, 22_2_00565EA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569B4B NtSetInformationThread, 22_2_00569B4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056173C NtProtectVirtualMemory, 22_2_0056173C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005693CD NtProtectVirtualMemory, 22_2_005693CD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569BCB NtSetInformationThread, 22_2_00569BCB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00569B83 NtSetInformationThread, 22_2_00569B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005617B0 NtProtectVirtualMemory, 22_2_005617B0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00569417 NtProtectVirtualMemory, 24_2_00569417
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565CB3 NtAllocateVirtualMemory, 24_2_00565CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory, 24_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565CD9 NtAllocateVirtualMemory, 24_2_00565CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565CE4 NtAllocateVirtualMemory, 24_2_00565CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565D71 NtAllocateVirtualMemory, 24_2_00565D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565D21 NtAllocateVirtualMemory, 24_2_00565D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565DE9 NtAllocateVirtualMemory, 24_2_00565DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565D90 NtAllocateVirtualMemory, 24_2_00565D90
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565DAD NtAllocateVirtualMemory, 24_2_00565DAD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565E47 NtAllocateVirtualMemory, 24_2_00565E47
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056166C NtProtectVirtualMemory, 24_2_0056166C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561614 NtProtectVirtualMemory, 24_2_00561614
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056161B NtProtectVirtualMemory, 24_2_0056161B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005616DF NtProtectVirtualMemory, 24_2_005616DF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565EA8 NtAllocateVirtualMemory, 24_2_00565EA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056173C NtProtectVirtualMemory, 24_2_0056173C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005693CD NtProtectVirtualMemory, 24_2_005693CD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005617B0 NtProtectVirtualMemory, 24_2_005617B0
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File created: C:\Windows\Lwo7 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_0040DD8B 0_2_0040DD8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B623F 0_2_020B623F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0816 0_2_020B0816
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CBA 0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CB3 0_2_020B5CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98CB 0_2_020B98CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1D2E 0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1204 0_2_020B1204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A27 0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4638 0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3E30 0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0A37 0_2_020B0A37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E36 0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8E4B 0_2_020B8E4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0E4D 0_2_020B0E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3244 0_2_020B3244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B6253 0_2_020B6253
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1265 0_2_020B1265
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B7E78 0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A73 0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3275 0_2_020B3275
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0A88 0_2_020B0A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8E8C 0_2_020B8E8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0E80 0_2_020B0E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A87 0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E99 0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4694 0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4AA0 0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B62A4 0_2_020B62A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0EB3 0_2_020B0EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B12DC 0_2_020B12DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B46D3 0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8ED0 0_2_020B8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1ED7 0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B630B 0_2_020B630B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2B01 0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4300 0_2_020B4300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B00 0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1313 0_2_020B1313
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4F14 0_2_020B4F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0F2F 0_2_020B0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B2D 0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B25 0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F3E 0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1F3C 0_2_020B1F3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2B37 0_2_020B2B37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B5C 0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1F52 0_2_020B1F52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F50 0_2_020B2F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B136B 0_2_020B136B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3B6F 0_2_020B3B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B6363 0_2_020B6363
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3B60 0_2_020B3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1F7F 0_2_020B1F7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4F8C 0_2_020B4F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2B83 0_2_020B2B83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0F9B 0_2_020B0F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4797 0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2FA8 0_2_020B2FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3BAF 0_2_020B3BAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B63AC 0_2_020B63AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4FB8 0_2_020B4FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8BBE 0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4BB0 0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2BD8 0_2_020B2BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0FEB 0_2_020B0FEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B47F4 0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3C0C 0_2_020B3C0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B641B 0_2_020B641B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C16 0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0C25 0_2_020B0C25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3C3F 0_2_020B3C3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2C33 0_2_020B2C33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B104C 0_2_020B104C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4847 0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C44 0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0C5B 0_2_020B0C5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C68 0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C6D 0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3063 0_2_020B3063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B247D 0_2_020B247D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B6480 0_2_020B6480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4899 0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2C94 0_2_020B2C94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1094 0_2_020B1094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CA6 0_2_020B0CA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B10CB 0_2_020B10CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B44CF 0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CC1 0_2_020B0CC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B44C0 0_2_020B44C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B30C4 0_2_020B30C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B64DB 0_2_020B64DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8CDA 0_2_020B8CDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2CD9 0_2_020B2CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CD9 0_2_020B5CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98D8 0_2_020B98D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B48E3 0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4CE4 0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5CE4 0_2_020B5CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B60FA 0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B28FE 0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CF3 0_2_020B0CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B98F3 0_2_020B98F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3114 0_2_020B3114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D14 0_2_020B8D14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D2A 0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5D21 0_2_020B5D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1120 0_2_020B1120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4520 0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B093E 0_2_020B093E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2D30 0_2_020B2D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4948 0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8547 0_2_020B8547
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B095B 0_2_020B095B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D5C 0_2_020B8D5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9951 0_2_020B9951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B116C 0_2_020B116C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B317B 0_2_020B317B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D7E 0_2_020B8D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5D71 0_2_020B5D71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4570 0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2D88 0_2_020B2D88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D83 0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4985 0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0D91 0_2_020B0D91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B41A7 0_2_020B41A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45B5 0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8DC3 0_2_020B8DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4DE9 0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0DEF 0_2_020B0DEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E0 0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E4 0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45F9 0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8DFF 0_2_020B8DFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B09FD 0_2_020B09FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B31F4 0_2_020B31F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B49F4 0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B623F 16_2_020B623F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0816 16_2_020B0816
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CBA 16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CB3 16_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98CB 16_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1D2E 16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1204 16_2_020B1204
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A27 16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4638 16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3E30 16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0A37 16_2_020B0A37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E36 16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8E4B 16_2_020B8E4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0E4D 16_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3244 16_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B6253 16_2_020B6253
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1265 16_2_020B1265
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B7E78 16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A73 16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3275 16_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0A88 16_2_020B0A88
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8E8C 16_2_020B8E8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0E80 16_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A87 16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E99 16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4694 16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4AA0 16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B62A4 16_2_020B62A4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0EB3 16_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B12DC 16_2_020B12DC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B46D3 16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8ED0 16_2_020B8ED0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1ED7 16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B630B 16_2_020B630B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2B01 16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4300 16_2_020B4300
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B00 16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1313 16_2_020B1313
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4F14 16_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0F2F 16_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B2D 16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B25 16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F3E 16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1F3C 16_2_020B1F3C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2B37 16_2_020B2B37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B5C 16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1F52 16_2_020B1F52
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F50 16_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B136B 16_2_020B136B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3B6F 16_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B6363 16_2_020B6363
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3B60 16_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1F7F 16_2_020B1F7F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4F8C 16_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2B83 16_2_020B2B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0F9B 16_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4797 16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2FA8 16_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3BAF 16_2_020B3BAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B63AC 16_2_020B63AC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4FB8 16_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8BBE 16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4BB0 16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2BD8 16_2_020B2BD8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0FEB 16_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B47F4 16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3C0C 16_2_020B3C0C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B641B 16_2_020B641B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C16 16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0C25 16_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3C3F 16_2_020B3C3F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2C33 16_2_020B2C33
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B104C 16_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4847 16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C44 16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0C5B 16_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C68 16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C6D 16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3063 16_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B247D 16_2_020B247D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B6480 16_2_020B6480
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4899 16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2C94 16_2_020B2C94
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1094 16_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CA6 16_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B10CB 16_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B44CF 16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CC1 16_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B44C0 16_2_020B44C0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B30C4 16_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B64DB 16_2_020B64DB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8CDA 16_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2CD9 16_2_020B2CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CD9 16_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98D8 16_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B48E3 16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4CE4 16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5CE4 16_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B60FA 16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B28FE 16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CF3 16_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B98F3 16_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3114 16_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D14 16_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D2A 16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5D21 16_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1120 16_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4520 16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B093E 16_2_020B093E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2D30 16_2_020B2D30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4948 16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8547 16_2_020B8547
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B095B 16_2_020B095B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D5C 16_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B9951 16_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B116C 16_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B317B 16_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D7E 16_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5D71 16_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4570 16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2D88 16_2_020B2D88
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D83 16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4985 16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0D91 16_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B41A7 16_2_020B41A7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45B5 16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8DC3 16_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4DE9 16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0DEF 16_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E0 16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E4 16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45F9 16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8DFF 16_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B09FD 16_2_020B09FD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B31F4 16_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B49F4 16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0816 17_2_007A0816
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98CB 17_2_007A98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CBA 17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CB3 17_2_007A5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1D2E 17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A623F 17_2_007A623F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A247D 17_2_007A247D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C68 17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C6D 17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3063 17_2_007A3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0C5B 17_2_007A0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A104C 17_2_007A104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4847 17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C44 17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3C3F 17_2_007A3C3F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2C33 17_2_007A2C33
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0C25 17_2_007A0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A641B 17_2_007A641B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C16 17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3C0C 17_2_007A3C0C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A60FA 17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A28FE 17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CF3 17_2_007A0CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98F3 17_2_007A98F3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A48E3 17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4CE4 17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CE4 17_2_007A5CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8CDA 17_2_007A8CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A64DB 17_2_007A64DB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A98D8 17_2_007A98D8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2CD9 17_2_007A2CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5CD9 17_2_007A5CD9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A10CB 17_2_007A10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A44CF 17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A44C0 17_2_007A44C0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CC1 17_2_007A0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A30C4 17_2_007A30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CA6 17_2_007A0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4899 17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2C94 17_2_007A2C94
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1094 17_2_007A1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A6480 17_2_007A6480
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A317B 17_2_007A317B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D7E 17_2_007A8D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4570 17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5D71 17_2_007A5D71
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A116C 17_2_007A116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A095B 17_2_007A095B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D5C 17_2_007A8D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A9951 17_2_007A9951
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4948 17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8547 17_2_007A8547
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A093E 17_2_007A093E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2D30 17_2_007A2D30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D2A 17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1120 17_2_007A1120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4520 17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5D21 17_2_007A5D21
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3114 17_2_007A3114
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D14 17_2_007A8D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45F9 17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8DFF 17_2_007A8DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A09FD 17_2_007A09FD
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A31F4 17_2_007A31F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A49F4 17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4DE9 17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0DEF 17_2_007A0DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E0 17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E4 17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8DC3 17_2_007A8DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45B5 17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A41A7 17_2_007A41A7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0D91 17_2_007A0D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2D88 17_2_007A2D88
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D83 17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4985 17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A7E78 17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A73 17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3275 17_2_007A3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1265 17_2_007A1265
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A6253 17_2_007A6253
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8E4B 17_2_007A8E4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0E4D 17_2_007A0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3244 17_2_007A3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4638 17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3E30 17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E36 17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0A37 17_2_007A0A37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A27 17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1204 17_2_007A1204
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A12DC 17_2_007A12DC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A46D3 17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8ED0 17_2_007A8ED0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1ED7 17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0EB3 17_2_007A0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4AA0 17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A62A4 17_2_007A62A4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E99 17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4694 17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0A88 17_2_007A0A88
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8E8C 17_2_007A8E8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0E80 17_2_007A0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A87 17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1F7F 17_2_007A1F7F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A136B 17_2_007A136B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3B6F 17_2_007A3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A6363 17_2_007A6363
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3B60 17_2_007A3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B5C 17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1F52 17_2_007A1F52
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F50 17_2_007A2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F3E 17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1F3C 17_2_007A1F3C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2B37 17_2_007A2B37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0F2F 17_2_007A0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B2D 17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B25 17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1313 17_2_007A1313
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4F14 17_2_007A4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A630B 17_2_007A630B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4300 17_2_007A4300
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B00 17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2B01 17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A47F4 17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0FEB 17_2_007A0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2BD8 17_2_007A2BD8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4FB8 17_2_007A4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8BBE 17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4BB0 17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2FA8 17_2_007A2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3BAF 17_2_007A3BAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A63AC 17_2_007A63AC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0F9B 17_2_007A0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4797 17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4F8C 17_2_007A4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2B83 17_2_007A2B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B623F 18_2_020B623F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0816 18_2_020B0816
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CBA 18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5CB3 18_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B98CB 18_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1D2E 18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1204 18_2_020B1204
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A27 18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4638 18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3E30 18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0A37 18_2_020B0A37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E36 18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8E4B 18_2_020B8E4B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0E4D 18_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3244 18_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B6253 18_2_020B6253
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1265 18_2_020B1265
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B7E78 18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A73 18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3275 18_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0A88 18_2_020B0A88
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8E8C 18_2_020B8E8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0E80 18_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A87 18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E99 18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4694 18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4AA0 18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B62A4 18_2_020B62A4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0EB3 18_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B12DC 18_2_020B12DC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B46D3 18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8ED0 18_2_020B8ED0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1ED7 18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B630B 18_2_020B630B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2B01 18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4300 18_2_020B4300
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B00 18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1313 18_2_020B1313
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4F14 18_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0F2F 18_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B2D 18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B25 18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F3E 18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1F3C 18_2_020B1F3C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2B37 18_2_020B2B37
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B5C 18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1F52 18_2_020B1F52
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F50 18_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B136B 18_2_020B136B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3B6F 18_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B6363 18_2_020B6363
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3B60 18_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1F7F 18_2_020B1F7F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4F8C 18_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2B83 18_2_020B2B83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0F9B 18_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4797 18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2FA8 18_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3BAF 18_2_020B3BAF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B63AC 18_2_020B63AC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4FB8 18_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8BBE 18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4BB0 18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2BD8 18_2_020B2BD8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0FEB 18_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B47F4 18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3C0C 18_2_020B3C0C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B641B 18_2_020B641B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C16 18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0C25 18_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3C3F 18_2_020B3C3F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2C33 18_2_020B2C33
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B104C 18_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4847 18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C44 18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0C5B 18_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C68 18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C6D 18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3063 18_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B247D 18_2_020B247D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B6480 18_2_020B6480
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4899 18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2C94 18_2_020B2C94
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1094 18_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CA6 18_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B10CB 18_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B44CF 18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CC1 18_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B44C0 18_2_020B44C0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B30C4 18_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B64DB 18_2_020B64DB
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384937023.00000000029A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCamases3.exeFE2Xj vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384197435.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466440658.000000001E030000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000000.383148228.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462715117.0000000002400000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.troj.evad.winEXE@19/10@9/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File created: C:\Users\user\AppData\Local\Temp\~DF1570032FE38D6039.TMP Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_0040828A push esp; retf 0_2_0040828C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_00405F01 pushfd ; iretd 0_2_00405F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_00406914 push eax; retf 0_2_00406915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_004077CE push ss; ret 0_2_004077CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020BA211 push es; retf 0_2_020BA220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8516 push es; retf 0_2_020BA220
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00566CD5 push es; iretd 22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00566DA2 push es; iretd 22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565B95 push es; iretd 22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00566CD5 push es; iretd 24_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00566DA2 push es; iretd 24_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565B95 push es; iretd 24_2_00566D4D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A27 NtWriteVirtualMemory, 0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4638 NtWriteVirtualMemory, 0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3E30 NtWriteVirtualMemory, 0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E36 NtWriteVirtualMemory, 0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3244 0_2_020B3244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B7E78 NtWriteVirtualMemory, 0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A73 NtWriteVirtualMemory, 0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3275 0_2_020B3275
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4A87 NtWriteVirtualMemory, 0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4E99 NtWriteVirtualMemory, 0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4694 NtWriteVirtualMemory, 0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4AA0 NtWriteVirtualMemory, 0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B46D3 NtWriteVirtualMemory, 0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1ED7 NtWriteVirtualMemory, 0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2B01 NtWriteVirtualMemory, 0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B00 NtWriteVirtualMemory, 0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B2D NtWriteVirtualMemory, 0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B25 NtWriteVirtualMemory, 0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4B5C NtWriteVirtualMemory, 0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F50 0_2_020B2F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4797 NtWriteVirtualMemory, 0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2FA8 0_2_020B2FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8BBE NtWriteVirtualMemory, 0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4BB0 NtWriteVirtualMemory, 0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0FEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B47F4 NtWriteVirtualMemory, 0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C16 NtWriteVirtualMemory, 0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0C25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B104C D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B104C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4847 NtWriteVirtualMemory, 0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C44 0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0C5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4C68 NtWriteVirtualMemory, 0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C6D 0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3063 0_2_020B3063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4899 NtWriteVirtualMemory, 0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B1094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0CA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B10CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B44CF NtWriteVirtualMemory, 0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0CC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B30C4 0_2_020B30C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8CDA 0_2_020B8CDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B48E3 NtWriteVirtualMemory, 0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4CE4 NtWriteVirtualMemory, 0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B60FA NtWriteVirtualMemory, 0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3114 0_2_020B3114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D14 0_2_020B8D14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D2A NtWriteVirtualMemory, 0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B1120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4520 NtWriteVirtualMemory, 0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4948 NtWriteVirtualMemory, 0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D5C 0_2_020B8D5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B116C D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B116C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B317B 0_2_020B317B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8D7E 0_2_020B8D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4570 NtWriteVirtualMemory, 0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4D83 NtWriteVirtualMemory, 0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4985 NtWriteVirtualMemory, 0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0D91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45B5 NtWriteVirtualMemory, 0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8DC3 0_2_020B8DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B4DE9 NtWriteVirtualMemory, 0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess, 0_2_020B0DEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E0 NtWriteVirtualMemory, 0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45E4 NtWriteVirtualMemory, 0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B45F9 NtWriteVirtualMemory, 0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8DFF 0_2_020B8DFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B31F4 0_2_020B31F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B49F4 NtWriteVirtualMemory, 0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A27 NtWriteVirtualMemory, 16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4638 NtWriteVirtualMemory, 16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3E30 NtWriteVirtualMemory, 16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E36 NtWriteVirtualMemory, 16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3244 16_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B7E78 NtWriteVirtualMemory, 16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A73 NtWriteVirtualMemory, 16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3275 16_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4A87 NtWriteVirtualMemory, 16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4E99 NtWriteVirtualMemory, 16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4694 NtWriteVirtualMemory, 16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4AA0 NtWriteVirtualMemory, 16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B46D3 NtWriteVirtualMemory, 16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1ED7 NtWriteVirtualMemory, 16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2B01 NtWriteVirtualMemory, 16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B00 NtWriteVirtualMemory, 16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B2D NtWriteVirtualMemory, 16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B25 NtWriteVirtualMemory, 16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4B5C NtWriteVirtualMemory, 16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F50 16_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4797 NtWriteVirtualMemory, 16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2FA8 16_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8BBE NtWriteVirtualMemory, 16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4BB0 NtWriteVirtualMemory, 16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B47F4 NtWriteVirtualMemory, 16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C16 NtWriteVirtualMemory, 16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B104C D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4847 NtWriteVirtualMemory, 16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C44 16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4C68 NtWriteVirtualMemory, 16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C6D 16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3063 16_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4899 NtWriteVirtualMemory, 16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B44CF NtWriteVirtualMemory, 16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B30C4 16_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8CDA 16_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B48E3 NtWriteVirtualMemory, 16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4CE4 NtWriteVirtualMemory, 16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B60FA NtWriteVirtualMemory, 16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3114 16_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D14 16_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D2A NtWriteVirtualMemory, 16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4520 NtWriteVirtualMemory, 16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4948 NtWriteVirtualMemory, 16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D5C 16_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B116C D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B317B 16_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8D7E 16_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4570 NtWriteVirtualMemory, 16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4D83 NtWriteVirtualMemory, 16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4985 NtWriteVirtualMemory, 16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45B5 NtWriteVirtualMemory, 16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8DC3 16_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B4DE9 NtWriteVirtualMemory, 16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess, 16_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E0 NtWriteVirtualMemory, 16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45E4 NtWriteVirtualMemory, 16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B45F9 NtWriteVirtualMemory, 16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8DFF 16_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B31F4 16_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B49F4 NtWriteVirtualMemory, 16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA, 17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C68 NtWriteVirtualMemory, 17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C6D 17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3063 17_2_007A3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0C5B D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A104C D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4847 NtWriteVirtualMemory, 17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C44 17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0C25 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4C16 NtWriteVirtualMemory, 17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A60FA NtWriteVirtualMemory, 17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA, 17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CF3 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A48E3 NtWriteVirtualMemory, 17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4CE4 NtWriteVirtualMemory, 17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8CDA 17_2_007A8CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A10CB D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A44CF NtWriteVirtualMemory, 17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CC1 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A30C4 17_2_007A30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0CA6 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4899 NtWriteVirtualMemory, 17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1094 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A317B 17_2_007A317B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D7E 17_2_007A8D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4570 NtWriteVirtualMemory, 17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A116C D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D5C 17_2_007A8D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4948 NtWriteVirtualMemory, 17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D2A NtWriteVirtualMemory, 17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1120 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A1120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4520 NtWriteVirtualMemory, 17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3114 17_2_007A3114
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8D14 17_2_007A8D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45F9 NtWriteVirtualMemory, 17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8DFF 17_2_007A8DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A31F4 17_2_007A31F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A49F4 NtWriteVirtualMemory, 17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4DE9 NtWriteVirtualMemory, 17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0DEF D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E0 NtWriteVirtualMemory, 17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45E4 NtWriteVirtualMemory, 17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8DC3 17_2_007A8DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A45B5 NtWriteVirtualMemory, 17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0D91 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4D83 NtWriteVirtualMemory, 17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4985 NtWriteVirtualMemory, 17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A7E78 NtWriteVirtualMemory, 17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A73 NtWriteVirtualMemory, 17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3275 17_2_007A3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0E4D D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3244 17_2_007A3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4638 NtWriteVirtualMemory, 17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3E30 NtWriteVirtualMemory, 17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E36 NtWriteVirtualMemory, 17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A27 NtWriteVirtualMemory, 17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A46D3 NtWriteVirtualMemory, 17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A1ED7 NtWriteVirtualMemory, 17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0EB3 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4AA0 NtWriteVirtualMemory, 17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4E99 NtWriteVirtualMemory, 17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4694 NtWriteVirtualMemory, 17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0E80 D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4A87 NtWriteVirtualMemory, 17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B5C NtWriteVirtualMemory, 17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F50 17_2_007A2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA, 17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0F2F D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B2D NtWriteVirtualMemory, 17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B25 NtWriteVirtualMemory, 17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4B00 NtWriteVirtualMemory, 17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2B01 NtWriteVirtualMemory, 17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A47F4 NtWriteVirtualMemory, 17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0FEB D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8BBE NtWriteVirtualMemory, 17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4BB0 NtWriteVirtualMemory, 17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2FA8 17_2_007A2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A0F9B D3DKMTSetStablePowerState,TerminateProcess, 17_2_007A0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A4797 NtWriteVirtualMemory, 17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess, 18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA, 18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A27 NtWriteVirtualMemory, 18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4638 NtWriteVirtualMemory, 18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3E30 NtWriteVirtualMemory, 18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E36 NtWriteVirtualMemory, 18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3244 18_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B7E78 NtWriteVirtualMemory, 18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A73 NtWriteVirtualMemory, 18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3275 18_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4A87 NtWriteVirtualMemory, 18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4E99 NtWriteVirtualMemory, 18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4694 NtWriteVirtualMemory, 18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4AA0 NtWriteVirtualMemory, 18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B46D3 NtWriteVirtualMemory, 18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1ED7 NtWriteVirtualMemory, 18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2B01 NtWriteVirtualMemory, 18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B00 NtWriteVirtualMemory, 18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B2D NtWriteVirtualMemory, 18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B25 NtWriteVirtualMemory, 18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA, 18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4B5C NtWriteVirtualMemory, 18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F50 18_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4797 NtWriteVirtualMemory, 18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2FA8 18_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8BBE NtWriteVirtualMemory, 18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4BB0 NtWriteVirtualMemory, 18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B47F4 NtWriteVirtualMemory, 18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C16 NtWriteVirtualMemory, 18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B104C D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4847 NtWriteVirtualMemory, 18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C44 18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4C68 NtWriteVirtualMemory, 18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C6D 18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3063 18_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4899 NtWriteVirtualMemory, 18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B44CF NtWriteVirtualMemory, 18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B30C4 18_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8CDA 18_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B48E3 NtWriteVirtualMemory, 18_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4CE4 NtWriteVirtualMemory, 18_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B60FA NtWriteVirtualMemory, 18_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA, 18_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3114 18_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8D14 18_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4D2A NtWriteVirtualMemory, 18_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4520 NtWriteVirtualMemory, 18_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4948 NtWriteVirtualMemory, 18_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8D5C 18_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B116C D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B317B 18_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8D7E 18_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4570 NtWriteVirtualMemory, 18_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4D83 NtWriteVirtualMemory, 18_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4985 NtWriteVirtualMemory, 18_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45B5 NtWriteVirtualMemory, 18_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8DC3 18_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B4DE9 NtWriteVirtualMemory, 18_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess, 18_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45E0 NtWriteVirtualMemory, 18_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45E4 NtWriteVirtualMemory, 18_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B45F9 NtWriteVirtualMemory, 18_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8DFF 18_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B31F4 18_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B49F4 NtWriteVirtualMemory, 18_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory, 22_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560C5B D3DKMTSetStablePowerState, 22_2_00560C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564847 22_2_00564847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568C44 22_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056104C D3DKMTSetStablePowerState, 22_2_0056104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056147F D3DKMTSetStablePowerState, 22_2_0056147F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568C6D 22_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564C68 22_2_00564C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564C16 22_2_00564C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561407 D3DKMTSetStablePowerState, 22_2_00561407
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561437 D3DKMTSetStablePowerState, 22_2_00561437
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560C25 D3DKMTSetStablePowerState, 22_2_00560C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568CDA 22_2_00568CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560CC1 D3DKMTSetStablePowerState, 22_2_00560CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005644CF 22_2_005644CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005610CB D3DKMTSetStablePowerState, 22_2_005610CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560CF3 D3DKMTSetStablePowerState, 22_2_00560CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005628FE LoadLibraryA, 22_2_005628FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564CE4 22_2_00564CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005648E3 22_2_005648E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005614E8 D3DKMTSetStablePowerState, 22_2_005614E8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561094 D3DKMTSetStablePowerState, 22_2_00561094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564899 22_2_00564899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560CA6 D3DKMTSetStablePowerState, 22_2_00560CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568D5C 22_2_00568D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564948 22_2_00564948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564570 22_2_00564570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568D7E 22_2_00568D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056116C D3DKMTSetStablePowerState, 22_2_0056116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568D14 22_2_00568D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561120 D3DKMTSetStablePowerState, 22_2_00561120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564520 22_2_00564520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561D2E LoadLibraryA, 22_2_00561D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056152D 22_2_0056152D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564D2A 22_2_00564D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005645D2 22_2_005645D2
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568DC3 22_2_00568DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005649F4 22_2_005649F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568DFF 22_2_00568DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005645F9 22_2_005645F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005645E4 22_2_005645E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560DEF D3DKMTSetStablePowerState, 22_2_00560DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564DE9 22_2_00564DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560D91 D3DKMTSetStablePowerState, 22_2_00560D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564985 22_2_00564985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564D83 22_2_00564D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560E4D D3DKMTSetStablePowerState, 22_2_00560E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00567E78 22_2_00567E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561265 D3DKMTSetStablePowerState, 22_2_00561265
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561204 D3DKMTSetStablePowerState, 22_2_00561204
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564E36 22_2_00564E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00563E30 22_2_00563E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564638 22_2_00564638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564A27 22_2_00564A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561ED7 22_2_00561ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005646D3 22_2_005646D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005612DC D3DKMTSetStablePowerState, 22_2_005612DC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564A97 22_2_00564A97
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564694 22_2_00564694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564E99 22_2_00564E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560E80 D3DKMTSetStablePowerState, 22_2_00560E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560EB3 D3DKMTSetStablePowerState, 22_2_00560EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564AAB 22_2_00564AAB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564B5C 22_2_00564B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056136B D3DKMTSetStablePowerState, 22_2_0056136B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564F14 22_2_00564F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00561313 D3DKMTSetStablePowerState, 22_2_00561313
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564B00 22_2_00564B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00562B01 22_2_00562B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00562F3E GetEnvironmentStringsW,LoadLibraryA, 22_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560F2F D3DKMTSetStablePowerState, 22_2_00560F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564B2D 22_2_00564B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005613C4 D3DKMTSetStablePowerState, 22_2_005613C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_005647F4 22_2_005647F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560FEB D3DKMTSetStablePowerState, 22_2_00560FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564797 22_2_00564797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00560F9B D3DKMTSetStablePowerState, 22_2_00560F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00564BB0 22_2_00564BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568BBE 22_2_00568BBE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory, 24_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560C5B D3DKMTSetStablePowerState, 24_2_00560C5B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564847 24_2_00564847
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568C44 24_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056104C D3DKMTSetStablePowerState, 24_2_0056104C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056147F D3DKMTSetStablePowerState, 24_2_0056147F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568C6D 24_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564C68 24_2_00564C68
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564C16 24_2_00564C16
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561407 D3DKMTSetStablePowerState, 24_2_00561407
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561437 D3DKMTSetStablePowerState, 24_2_00561437
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560C25 D3DKMTSetStablePowerState, 24_2_00560C25
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568CDA 24_2_00568CDA
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560CC1 D3DKMTSetStablePowerState, 24_2_00560CC1
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005644CF 24_2_005644CF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005610CB D3DKMTSetStablePowerState, 24_2_005610CB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560CF3 D3DKMTSetStablePowerState, 24_2_00560CF3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005628FE LoadLibraryA, 24_2_005628FE
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564CE4 24_2_00564CE4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005648E3 24_2_005648E3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005614E8 D3DKMTSetStablePowerState, 24_2_005614E8
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561094 D3DKMTSetStablePowerState, 24_2_00561094
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564899 24_2_00564899
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560CA6 D3DKMTSetStablePowerState, 24_2_00560CA6
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568D5C 24_2_00568D5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564948 24_2_00564948
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564570 24_2_00564570
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568D7E 24_2_00568D7E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056116C D3DKMTSetStablePowerState, 24_2_0056116C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568D14 24_2_00568D14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561120 D3DKMTSetStablePowerState, 24_2_00561120
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564520 24_2_00564520
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561D2E LoadLibraryA, 24_2_00561D2E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056152D 24_2_0056152D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564D2A 24_2_00564D2A
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005645D2 24_2_005645D2
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568DC3 24_2_00568DC3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005649F4 24_2_005649F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568DFF 24_2_00568DFF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005645F9 24_2_005645F9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005645E4 24_2_005645E4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560DEF D3DKMTSetStablePowerState, 24_2_00560DEF
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564DE9 24_2_00564DE9
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560D91 D3DKMTSetStablePowerState, 24_2_00560D91
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564985 24_2_00564985
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564D83 24_2_00564D83
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560E4D D3DKMTSetStablePowerState, 24_2_00560E4D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00567E78 24_2_00567E78
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561265 D3DKMTSetStablePowerState, 24_2_00561265
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561204 D3DKMTSetStablePowerState, 24_2_00561204
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564E36 24_2_00564E36
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00563E30 24_2_00563E30
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564638 24_2_00564638
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564A27 24_2_00564A27
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561ED7 24_2_00561ED7
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005646D3 24_2_005646D3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005612DC D3DKMTSetStablePowerState, 24_2_005612DC
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564A97 24_2_00564A97
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564694 24_2_00564694
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564E99 24_2_00564E99
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560E80 D3DKMTSetStablePowerState, 24_2_00560E80
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560EB3 D3DKMTSetStablePowerState, 24_2_00560EB3
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564AAB 24_2_00564AAB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564B5C 24_2_00564B5C
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056136B D3DKMTSetStablePowerState, 24_2_0056136B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564F14 24_2_00564F14
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00561313 D3DKMTSetStablePowerState, 24_2_00561313
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564B00 24_2_00564B00
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00562B01 24_2_00562B01
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00562F3E GetEnvironmentStringsW,LoadLibraryA, 24_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560F2F D3DKMTSetStablePowerState, 24_2_00560F2F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564B2D 24_2_00564B2D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005613C4 D3DKMTSetStablePowerState, 24_2_005613C4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_005647F4 24_2_005647F4
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560FEB D3DKMTSetStablePowerState, 24_2_00560FEB
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564797 24_2_00564797
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00560F9B D3DKMTSetStablePowerState, 24_2_00560F9B
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00564BB0 24_2_00564BB0
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568BBE 24_2_00568BBE
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C37BB12h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C37BB40h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C37BE0Ch 0x00000042 jmp 00007F430C37BB16h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe RDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C8016AAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A8640 second address: 00000000007A8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A4EE7 second address: 00000000007A4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C801710h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C8019DCh 0x00000042 jmp 00007F430C8016E6h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe RDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C37BADAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0816 rdtsc 0_2_020B0816
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\win.exe Window / User API: threadDelayed 580 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324 Thread sleep count: 580 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324 Thread sleep time: -5800000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\win.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\win.exe Last function: Thread delayed
Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462534085.000000000084E000.00000004.00000020.sdmp, win.exe, 00000016.00000002.670720058.00000000008D7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B0816 rdtsc 0_2_020B0816
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5B95 LdrInitializeThunk, 0_2_020B5B95
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B2F3E mov eax, dword ptr fs:[00000030h] 0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3B6F mov eax, dword ptr fs:[00000030h] 0_2_020B3B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3B60 mov eax, dword ptr fs:[00000030h] 0_2_020B3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B3774 mov eax, dword ptr fs:[00000030h] 0_2_020B3774
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B5843 mov eax, dword ptr fs:[00000030h] 0_2_020B5843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C44 mov eax, dword ptr fs:[00000030h] 0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B8C6D mov eax, dword ptr fs:[00000030h] 0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B7C70 mov eax, dword ptr fs:[00000030h] 0_2_020B7C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B813E mov eax, dword ptr fs:[00000030h] 0_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B2F3E mov eax, dword ptr fs:[00000030h] 16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3B6F mov eax, dword ptr fs:[00000030h] 16_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3B60 mov eax, dword ptr fs:[00000030h] 16_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B3774 mov eax, dword ptr fs:[00000030h] 16_2_020B3774
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B5843 mov eax, dword ptr fs:[00000030h] 16_2_020B5843
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C44 mov eax, dword ptr fs:[00000030h] 16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B8C6D mov eax, dword ptr fs:[00000030h] 16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B7C70 mov eax, dword ptr fs:[00000030h] 16_2_020B7C70
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 16_2_020B813E mov eax, dword ptr fs:[00000030h] 16_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A7C70 mov eax, dword ptr fs:[00000030h] 17_2_007A7C70
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C6D mov eax, dword ptr fs:[00000030h] 17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A5843 mov eax, dword ptr fs:[00000030h] 17_2_007A5843
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A8C44 mov eax, dword ptr fs:[00000030h] 17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A813E mov eax, dword ptr fs:[00000030h] 17_2_007A813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3774 mov eax, dword ptr fs:[00000030h] 17_2_007A3774
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3B6F mov eax, dword ptr fs:[00000030h] 17_2_007A3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A3B60 mov eax, dword ptr fs:[00000030h] 17_2_007A3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 17_2_007A2F3E mov eax, dword ptr fs:[00000030h] 17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B2F3E mov eax, dword ptr fs:[00000030h] 18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3B6F mov eax, dword ptr fs:[00000030h] 18_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3B60 mov eax, dword ptr fs:[00000030h] 18_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B3774 mov eax, dword ptr fs:[00000030h] 18_2_020B3774
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B5843 mov eax, dword ptr fs:[00000030h] 18_2_020B5843
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C44 mov eax, dword ptr fs:[00000030h] 18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B8C6D mov eax, dword ptr fs:[00000030h] 18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B7C70 mov eax, dword ptr fs:[00000030h] 18_2_020B7C70
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 18_2_020B813E mov eax, dword ptr fs:[00000030h] 18_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00563B60 mov eax, dword ptr fs:[00000030h] 22_2_00563B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568C44 mov eax, dword ptr fs:[00000030h] 22_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00565843 mov eax, dword ptr fs:[00000030h] 22_2_00565843
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00567C70 mov eax, dword ptr fs:[00000030h] 22_2_00567C70
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00568C6D mov eax, dword ptr fs:[00000030h] 22_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_0056813E mov eax, dword ptr fs:[00000030h] 22_2_0056813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00563774 mov eax, dword ptr fs:[00000030h] 22_2_00563774
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00563B6F mov eax, dword ptr fs:[00000030h] 22_2_00563B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 22_2_00562F3E mov eax, dword ptr fs:[00000030h] 22_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00563B60 mov eax, dword ptr fs:[00000030h] 24_2_00563B60
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568C44 mov eax, dword ptr fs:[00000030h] 24_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00565843 mov eax, dword ptr fs:[00000030h] 24_2_00565843
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00567C70 mov eax, dword ptr fs:[00000030h] 24_2_00567C70
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00568C6D mov eax, dword ptr fs:[00000030h] 24_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_0056813E mov eax, dword ptr fs:[00000030h] 24_2_0056813E
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00563774 mov eax, dword ptr fs:[00000030h] 24_2_00563774
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00563B6F mov eax, dword ptr fs:[00000030h] 24_2_00563B6F
Source: C:\Users\user\AppData\Roaming\win.exe Code function: 24_2_00562F3E mov eax, dword ptr fs:[00000030h] 24_2_00562F3E

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp Binary or memory string: Program Manager Started
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp Binary or memory string: Program Managerer ]
Source: logs.dat.23.dr Binary or memory string: [ Program Manager ]
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp Binary or memory string: Program Manager&Hmg

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe Code function: 0_2_020B9FF7 cpuid 0_2_020B9FF7
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\c20d61befcda487dbc17044b70fd3bfd_1 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\d572bee68d954d8f906b98a2e017f820_1 VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: win.exe PID: 2796, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430707 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 07/06/2021 Architecture: WINDOWS Score: 96 63 Found malware configuration 2->63 65 Yara detected GuLoader 2->65 67 Yara detected Remcos RAT 2->67 69 3 other signatures 2->69 10 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 2 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->81 83 Tries to detect Any.run 10->83 85 Tries to detect virtualization through RDTSC time measurements 10->85 17 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 4 10 10->17         started        22 backgroundTaskHost.exe 22 10 10->22         started        87 Hides threads from debuggers 13->87 24 win.exe 6 13->24         started        26 win.exe 6 15->26         started        process5 dnsIp6 47 ztechinternational.com 192.185.113.219, 49732, 49753, 49754 UNIFIEDLAYER-AS-1US United States 17->47 41 C:\Users\user\AppData\Roaming\win.exe, PE32 17->41 dropped 43 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->43 dropped 45 C:\Users\user\AppData\Local\...\install.vbs, data 17->45 dropped 71 Tries to detect Any.run 17->71 73 Hides threads from debuggers 17->73 28 wscript.exe 1 17->28         started        file7 signatures8 process9 process10 30 cmd.exe 1 28->30         started        process11 32 win.exe 1 30->32         started        35 conhost.exe 30->35         started        signatures12 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 32->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 32->57 59 Tries to detect Any.run 32->59 61 2 other signatures 32->61 37 win.exe 2 7 32->37         started        process13 dnsIp14 49 ztechinternational.com 37->49 51 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 172.94.125.152, 2024 M247GB United States 37->51 53 192.168.2.1 unknown unknown 37->53 75 Tries to detect Any.run 37->75 77 Hides threads from debuggers 37->77 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.113.219
 ztechinternational.com United States
46606 UNIFIEDLAYER-AS-1US true
172.94.125.152
 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu United States
9009 M247GB false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 172.94.125.152 true
ztechinternational.com 192.185.113.219 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin true
  • Avira URL Cloud: safe
 unknown