Loading ...

Play interactive tourEdit tour

Windows Analysis Report gLO4rDsniT

Overview

General Information

Sample Name:gLO4rDsniT (renamed file extension from none to exe)
Analysis ID:483687
MD5:ebcd5648eab5a3214ec61d4bed956a36
SHA1:b2a43a1489ce76373df3ba5e4ba54172a6cc92f4
SHA256:bef7f97dcb40fd71e9a9fca6f43389749245f17e7a3092219d20217b8ad8e36a
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • gLO4rDsniT.exe (PID: 6308 cmdline: 'C:\Users\user\Desktop\gLO4rDsniT.exe' MD5: EBCD5648EAB5A3214EC61D4BED956A36)
    • powershell.exe (PID: 6740 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gLO4rDsniT.exe (PID: 3880 cmdline: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe MD5: EBCD5648EAB5A3214EC61D4BED956A36)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.inboundtechnology.net/b9qq/"], "decoy": ["tmalborz.com", "jiutianbath.com", "yazdir.info", "budget.sucks", "harman-enterprises.com", "kedaidaging.com", "exiteight.com", "urpropertymanager.com", "tomorrowsrider.com", "otlpro.com", "shopfunda.com", "xinhaojc1998.com", "fyqyzs.com", "legal-plaza.net", "bonmarchefr.net", "3bestrehab.com", "riyadhalnarjes.com", "bharateeyaswasrayadarshan.com", "inchingforhelp.com", "lojongdev.com", "jonathanbrowndrums.com", "rongnhonhatban.online", "gelora.site", "shirleyswigsinc.com", "pepsi-vm.com", "lovabubble.com", "wwwburlingtontownshipcourts.com", "findousd.com", "santavitrine.com", "sabaidiver.com", "actionclassiccars.com", "comdevfund.info", "geomasala.com", "leviathanpursuits.net", "fenrirnoise.com", "planeadvisory.com", "goehub.com", "greyriverstay.com", "monikalupaczewska.com", "yournorwegiancourse.com", "xn--hgbque4i.com", "topdex.info", "canvasgoogle.com", "leal-am.com", "peach-dev.finance", "us-phoneprotection.com", "nek.cool", "oraclenailstucson.com", "bloortoqueen.com", "hfhscn.com", "grooveautohacking.com", "getallentownpets.com", "storiesofablonde.com", "assistance-habitation.com", "aandzauto.services", "eating4mentalhealth.com", "getcareerpower.com", "hayokapan.com", "georgestuff.com", "manage-autpypl-account.com", "cjbwxs.com", "goodgly.com", "toptoffee.com", "salonefestival.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x66b9:$sqlite3step: 68 34 1C 7B E1
    • 0x67cc:$sqlite3step: 68 34 1C 7B E1
    • 0x66e8:$sqlite3text: 68 38 2A 90 C5
    • 0x680d:$sqlite3text: 68 38 2A 90 C5
    • 0x66fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6823:$sqlite3blob: 68 53 D8 7F 8C
    00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      24.2.gLO4rDsniT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        24.2.gLO4rDsniT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        24.2.gLO4rDsniT.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        24.2.gLO4rDsniT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          24.2.gLO4rDsniT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine|base64offset|contains: Jy, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\gLO4rDsniT.exe' , ParentImage: C:\Users\user\Desktop\gLO4rDsniT.exe, ParentProcessId: 6308, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, ProcessId: 6740
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762045907911739.6740.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.inboundtechnology.net/b9qq/"], "decoy": ["tmalborz.com", "jiutianbath.com", "yazdir.info", "budget.sucks", "harman-enterprises.com", "kedaidaging.com", "exiteight.com", "urpropertymanager.com", "tomorrowsrider.com", "otlpro.com", "shopfunda.com", "xinhaojc1998.com", "fyqyzs.com", "legal-plaza.net", "bonmarchefr.net", "3bestrehab.com", "riyadhalnarjes.com", "bharateeyaswasrayadarshan.com", "inchingforhelp.com", "lojongdev.com", "jonathanbrowndrums.com", "rongnhonhatban.online", "gelora.site", "shirleyswigsinc.com", "pepsi-vm.com", "lovabubble.com", "wwwburlingtontownshipcourts.com", "findousd.com", "santavitrine.com", "sabaidiver.com", "actionclassiccars.com", "comdevfund.info", "geomasala.com", "leviathanpursuits.net", "fenrirnoise.com", "planeadvisory.com", "goehub.com", "greyriverstay.com", "monikalupaczewska.com", "yournorwegiancourse.com", "xn--hgbque4i.com", "topdex.info", "canvasgoogle.com", "leal-am.com", "peach-dev.finance", "us-phoneprotection.com", "nek.cool", "oraclenailstucson.com", "bloortoqueen.com", "hfhscn.com", "grooveautohacking.com", "getallentownpets.com", "storiesofablonde.com", "assistance-habitation.com", "aandzauto.services", "eating4mentalhealth.com", "getcareerpower.com", "hayokapan.com", "georgestuff.com", "manage-autpypl-account.com", "cjbwxs.com", "goodgly.com", "toptoffee.com", "salonefestival.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: gLO4rDsniT.exeVirustotal: Detection: 32%Perma Link
          Source: gLO4rDsniT.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeVirustotal: Detection: 32%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeReversingLabs: Detection: 40%
          Machine Learning detection for sampleShow sources
          Source: gLO4rDsniT.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeJoe Sandbox ML: detected
          Source: 24.2.gLO4rDsniT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: gLO4rDsniT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: gLO4rDsniT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: gLO4rDsniT.exe, 00000018.00000002.544829153.00000000014EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: gLO4rDsniT.exe
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: gLO4rDsniT.exe
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: gLO4rDsniT.exe

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.inboundtechnology.net/b9qq/
          Source: gLO4rDsniT.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: gLO4rDsniT.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: gLO4rDsniT.exeString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
          Source: gLO4rDsniT.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: gLO4rDsniT.exeString found in binary or memory: http://james.newtonking.com/projects/json
          Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: gLO4rDsniT.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: gLO4rDsniT.exeString found in binary or memory: http://ocsp.digicert.com0K
          Source: gLO4rDsniT.exeString found in binary or memory: http://ocsp.digicert.com0N
          Source: gLO4rDsniT.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: gLO4rDsniT.exe, 00000001.00000002.466072258.0000000002B8C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.371504237.0000000004E51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000006.00000002.374276316.00000000056CB000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: gLO4rDsniT.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: gLO4rDsniT.exeString found in binary or memory: https://www.newtonsoft.com/json
          Source: gLO4rDsniT.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
          Source: gLO4rDsniT.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: gLO4rDsniT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeCode function: 1_2_070240801_2_07024080
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeCode function: 1_2_070240701_2_07024070
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeCode function: 1_2_07025C891_2_07025C89
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeCode function: 1_2_006F3ECE1_2_006F3ECE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D8CEB86_2_04D8CEB8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D88B586_2_04D88B58
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D88B4A6_2_04D88B4A
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D8DA786_2_04D8DA78
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D8DA686_2_04D8DA68
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0040103024_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041BAC724_2_0041BAC7
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041CBDC24_2_0041CBDC
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00408C5C24_2_00408C5C
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00408C6024_2_00408C60
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041B5E824_2_0041B5E8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00402D8724_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00402D9024_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00402FB024_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FF90024_2_013FF900
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141412024_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F680024_2_013F6800
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B100224_2_014B1002
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014CE82424_2_014CE824
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A83024_2_0141A830
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C28EC24_2_014C28EC
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140B09024_2_0140B090
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A024_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C20A824_2_014C20A8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141AB4024_2_0141AB40
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149CB4F24_2_0149CB4F
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141336024_2_01413360
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A30924_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B231B24_2_014B231B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C2B2824_2_014C2B28
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B03DA24_2_014B03DA
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BDBD224_2_014BDBD2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142ABD824_2_0142ABD8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014A23E324_2_014A23E3
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01448BE824_2_01448BE8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149EB8A24_2_0149EB8A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142138B24_2_0142138B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141EB9A24_2_0141EB9A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142EBB024_2_0142EBB0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014AFA2B24_2_014AFA2B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B23624_2_0141B236
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BE2C524_2_014BE2C5
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B4AEF24_2_014B4AEF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C22AE24_2_014C22AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C32A924_2_014C32A9
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01412D5024_2_01412D50
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C1D5524_2_014C1D55
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F0D2024_2_013F0D20
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C2D0724_2_014C2D07
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C25DD24_2_014C25DD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140D5E024_2_0140D5E0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142258124_2_01422581
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B2D8224_2_014B2D82
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014265A024_2_014265A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BD46624_2_014BD466
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B47724_2_0141B477
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140841F24_2_0140841F
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B449624_2_014B4496
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014CDFCE24_2_014CDFCE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B67E224_2_014B67E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C1FF124_2_014C1FF1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141560024_2_01415600
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BD61624_2_014BD616
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00963ECE24_2_00963ECE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: String function: 01485720 appears 65 times
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: String function: 0144D08C appears 41 times
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: String function: 013FB150 appears 154 times
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004181C0 NtCreateFile,24_2_004181C0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00418270 NtReadFile,24_2_00418270
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004182F0 NtClose,24_2_004182F0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004183A0 NtAllocateVirtualMemory,24_2_004183A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004182EA NtClose,24_2_004182EA
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041839D NtAllocateVirtualMemory,24_2_0041839D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439910 NtAdjustPrivilegesToken,LdrInitializeThunk,24_2_01439910
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014399A0 NtCreateSection,LdrInitializeThunk,24_2_014399A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439860 NtQuerySystemInformation,LdrInitializeThunk,24_2_01439860
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439A50 NtCreateFile,LdrInitializeThunk,24_2_01439A50
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439A00 NtProtectVirtualMemory,LdrInitializeThunk,24_2_01439A00
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014395D0 NtClose,LdrInitializeThunk,24_2_014395D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439710 NtQueryInformationToken,LdrInitializeThunk,24_2_01439710
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439FE0 NtCreateMutant,LdrInitializeThunk,24_2_01439FE0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439780 NtMapViewOfSection,LdrInitializeThunk,24_2_01439780
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439660 NtAllocateVirtualMemory,LdrInitializeThunk,24_2_01439660
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014396E0 NtFreeVirtualMemory,LdrInitializeThunk,24_2_014396E0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439950 NtQueueApcThread,24_2_01439950
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014399D0 NtCreateProcessEx,24_2_014399D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0143B040 NtSuspendThread,24_2_0143B040
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439840 NtDelayExecution,24_2_01439840
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439820 NtEnumerateKey,24_2_01439820
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014398F0 NtReadVirtualMemory,24_2_014398F0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014398A0 NtWriteVirtualMemory,24_2_014398A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439B00 NtSetValueKey,24_2_01439B00
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0143A3B0 NtGetContextThread,24_2_0143A3B0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439A10 NtQuerySection,24_2_01439A10
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439A20 NtResumeThread,24_2_01439A20
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439A80 NtOpenDirectoryObject,24_2_01439A80
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439540 NtReadFile,24_2_01439540
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439560 NtWriteFile,24_2_01439560
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439520 NtWaitForSingleObject,24_2_01439520
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0143AD30 NtSetContextThread,24_2_0143AD30
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014395F0 NtQueryInformationFile,24_2_014395F0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439760 NtOpenProcess,24_2_01439760
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0143A770 NtOpenThread,24_2_0143A770
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439770 NtSetInformationFile,24_2_01439770
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0143A710 NtOpenProcessToken,24_2_0143A710
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439730 NtQueryVirtualMemory,24_2_01439730
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014397A0 NtUnmapViewOfSection,24_2_014397A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439650 NtQueryValueKey,24_2_01439650
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439670 NtQueryInformationProcess,24_2_01439670
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01439610 NtEnumerateValueKey,24_2_01439610
          Source: gLO4rDsniT.exeBinary or memory string: OriginalFilename vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000001.00000002.464892605.0000000001030000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameEldvvwydeqtuviuraf.dllF vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000001.00000002.463955476.0000000000CA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameVxddsbqhvdmitgr.dll" vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000001.00000000.238967806.00000000006F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000001.00000000.238967806.00000000006F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000001.00000002.466492327.0000000002C92000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exeBinary or memory string: OriginalFilename vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000018.00000002.544829153.00000000014EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000018.00000002.543650246.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exe, 00000018.00000002.543650246.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exeBinary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe
          Source: gLO4rDsniT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: gLO4rDsniT.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: gLO4rDsniT.exeVirustotal: Detection: 32%
          Source: gLO4rDsniT.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile read: C:\Users\user\Desktop\gLO4rDsniT.exeJump to behavior
          Source: gLO4rDsniT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\gLO4rDsniT.exe 'C:\Users\user\Desktop\gLO4rDsniT.exe'
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20Jump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gLO4rDsniT.exe.logJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/0
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: gLO4rDsniT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: gLO4rDsniT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: gLO4rDsniT.exe, 00000018.00000002.544829153.00000000014EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: gLO4rDsniT.exe
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: gLO4rDsniT.exe
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: gLO4rDsniT.exe
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeCode function: 1_2_07027177 push edi; ret 1_2_07027179
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04D8326F push dword ptr [esp+ecx*2-75h]; ret 6_2_04D83273
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041612D push esp; ret 24_2_0041612E
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0040F371 push cs; retf 24_2_0040F377
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041B3B5 push eax; ret 24_2_0041B408
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041B46C push eax; ret 24_2_0041B472
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041B402 push eax; ret 24_2_0041B408
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0041B40B push eax; ret 24_2_0041B472
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_00419C9C push eax; iretd 24_2_00419C9D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0144D0D1 push ecx; ret 24_2_0144D0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.11687874343
          Source: initial sampleStatic PE information: section name: .text entropy: 7.11687874343
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeFile created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeJump to dropped file
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\gLO4rDsniT.exe TID: 6312Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exe TID: 6392Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004088B0 rdtsc 24_2_004088B0
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2312Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2041Jump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000006.00000002.372800204.0000000005294000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: explorer.exe, 00000019.00000000.478669261.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000019.00000000.478669261.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000019.00000000.469435502.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000019.00000000.497503166.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000019.00000000.472332532.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000019.00000000.497503166.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_004088B0 rdtsc 24_2_004088B0
          Source: C:\Users\user\Desktop\gLO4rDsniT.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B944 mov eax, dword ptr fs:[00000030h]24_2_0141B944
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B944 mov eax, dword ptr fs:[00000030h]24_2_0141B944
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F3138 mov ecx, dword ptr fs:[00000030h]24_2_013F3138
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B1951 mov eax, dword ptr fs:[00000030h]24_2_014B1951
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BE962 mov eax, dword ptr fs:[00000030h]24_2_014BE962
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C8966 mov eax, dword ptr fs:[00000030h]24_2_014C8966
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F9100 mov eax, dword ptr fs:[00000030h]24_2_013F9100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F9100 mov eax, dword ptr fs:[00000030h]24_2_013F9100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F9100 mov eax, dword ptr fs:[00000030h]24_2_013F9100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01400100 mov eax, dword ptr fs:[00000030h]24_2_01400100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01400100 mov eax, dword ptr fs:[00000030h]24_2_01400100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01400100 mov eax, dword ptr fs:[00000030h]24_2_01400100
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FB171 mov eax, dword ptr fs:[00000030h]24_2_013FB171
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FB171 mov eax, dword ptr fs:[00000030h]24_2_013FB171
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FC962 mov eax, dword ptr fs:[00000030h]24_2_013FC962
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01414120 mov eax, dword ptr fs:[00000030h]24_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01414120 mov eax, dword ptr fs:[00000030h]24_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01414120 mov eax, dword ptr fs:[00000030h]24_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01414120 mov eax, dword ptr fs:[00000030h]24_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01414120 mov ecx, dword ptr fs:[00000030h]24_2_01414120
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F395E mov eax, dword ptr fs:[00000030h]24_2_013F395E
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F395E mov eax, dword ptr fs:[00000030h]24_2_013F395E
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142513A mov eax, dword ptr fs:[00000030h]24_2_0142513A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142513A mov eax, dword ptr fs:[00000030h]24_2_0142513A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B19D8 mov eax, dword ptr fs:[00000030h]24_2_014B19D8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014841E8 mov eax, dword ptr fs:[00000030h]24_2_014841E8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F519E mov eax, dword ptr fs:[00000030h]24_2_013F519E
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F519E mov ecx, dword ptr fs:[00000030h]24_2_013F519E
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C89E7 mov eax, dword ptr fs:[00000030h]24_2_014C89E7
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BA189 mov eax, dword ptr fs:[00000030h]24_2_014BA189
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BA189 mov ecx, dword ptr fs:[00000030h]24_2_014BA189
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141C182 mov eax, dword ptr fs:[00000030h]24_2_0141C182
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142A185 mov eax, dword ptr fs:[00000030h]24_2_0142A185
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01422990 mov eax, dword ptr fs:[00000030h]24_2_01422990
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01424190 mov eax, dword ptr fs:[00000030h]24_2_01424190
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FB1E1 mov eax, dword ptr fs:[00000030h]24_2_013FB1E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FB1E1 mov eax, dword ptr fs:[00000030h]24_2_013FB1E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FB1E1 mov eax, dword ptr fs:[00000030h]24_2_013FB1E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F31E0 mov eax, dword ptr fs:[00000030h]24_2_013F31E0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014769A6 mov eax, dword ptr fs:[00000030h]24_2_014769A6
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014261A0 mov eax, dword ptr fs:[00000030h]24_2_014261A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014261A0 mov eax, dword ptr fs:[00000030h]24_2_014261A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B49A4 mov eax, dword ptr fs:[00000030h]24_2_014B49A4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B49A4 mov eax, dword ptr fs:[00000030h]24_2_014B49A4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B49A4 mov eax, dword ptr fs:[00000030h]24_2_014B49A4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B49A4 mov eax, dword ptr fs:[00000030h]24_2_014B49A4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014751BE mov eax, dword ptr fs:[00000030h]24_2_014751BE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014751BE mov eax, dword ptr fs:[00000030h]24_2_014751BE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014751BE mov eax, dword ptr fs:[00000030h]24_2_014751BE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014751BE mov eax, dword ptr fs:[00000030h]24_2_014751BE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov eax, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov eax, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov eax, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov ecx, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014199BF mov eax, dword ptr fs:[00000030h]24_2_014199BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B1843 mov eax, dword ptr fs:[00000030h]24_2_014B1843
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01410050 mov eax, dword ptr fs:[00000030h]24_2_01410050
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01410050 mov eax, dword ptr fs:[00000030h]24_2_01410050
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141F86D mov eax, dword ptr fs:[00000030h]24_2_0141F86D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B2073 mov eax, dword ptr fs:[00000030h]24_2_014B2073
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C1074 mov eax, dword ptr fs:[00000030h]24_2_014C1074
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F6800 mov eax, dword ptr fs:[00000030h]24_2_013F6800
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F6800 mov eax, dword ptr fs:[00000030h]24_2_013F6800
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F6800 mov eax, dword ptr fs:[00000030h]24_2_013F6800
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01477016 mov eax, dword ptr fs:[00000030h]24_2_01477016
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01477016 mov eax, dword ptr fs:[00000030h]24_2_01477016
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01477016 mov eax, dword ptr fs:[00000030h]24_2_01477016
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C4015 mov eax, dword ptr fs:[00000030h]24_2_014C4015
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C4015 mov eax, dword ptr fs:[00000030h]24_2_014C4015
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01424020 mov edi, dword ptr fs:[00000030h]24_2_01424020
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F7057 mov eax, dword ptr fs:[00000030h]24_2_013F7057
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140B02A mov eax, dword ptr fs:[00000030h]24_2_0140B02A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140B02A mov eax, dword ptr fs:[00000030h]24_2_0140B02A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140B02A mov eax, dword ptr fs:[00000030h]24_2_0140B02A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140B02A mov eax, dword ptr fs:[00000030h]24_2_0140B02A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142002D mov eax, dword ptr fs:[00000030h]24_2_0142002D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142002D mov eax, dword ptr fs:[00000030h]24_2_0142002D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142002D mov eax, dword ptr fs:[00000030h]24_2_0142002D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142002D mov eax, dword ptr fs:[00000030h]24_2_0142002D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142002D mov eax, dword ptr fs:[00000030h]24_2_0142002D
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F5050 mov eax, dword ptr fs:[00000030h]24_2_013F5050
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F5050 mov eax, dword ptr fs:[00000030h]24_2_013F5050
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F5050 mov eax, dword ptr fs:[00000030h]24_2_013F5050
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A830 mov eax, dword ptr fs:[00000030h]24_2_0141A830
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A830 mov eax, dword ptr fs:[00000030h]24_2_0141A830
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A830 mov eax, dword ptr fs:[00000030h]24_2_0141A830
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A830 mov eax, dword ptr fs:[00000030h]24_2_0141A830
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B18CA mov eax, dword ptr fs:[00000030h]24_2_014B18CA
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov eax, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov ecx, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov eax, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov eax, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov eax, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0148B8D0 mov eax, dword ptr fs:[00000030h]24_2_0148B8D0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B8E4 mov eax, dword ptr fs:[00000030h]24_2_0141B8E4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141B8E4 mov eax, dword ptr fs:[00000030h]24_2_0141B8E4
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028FD mov eax, dword ptr fs:[00000030h]24_2_014028FD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028FD mov eax, dword ptr fs:[00000030h]24_2_014028FD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028FD mov eax, dword ptr fs:[00000030h]24_2_014028FD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F9080 mov eax, dword ptr fs:[00000030h]24_2_013F9080
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F3880 mov eax, dword ptr fs:[00000030h]24_2_013F3880
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F3880 mov eax, dword ptr fs:[00000030h]24_2_013F3880
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01473884 mov eax, dword ptr fs:[00000030h]24_2_01473884
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01473884 mov eax, dword ptr fs:[00000030h]24_2_01473884
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F58EC mov eax, dword ptr fs:[00000030h]24_2_013F58EC
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F40E1 mov eax, dword ptr fs:[00000030h]24_2_013F40E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F40E1 mov eax, dword ptr fs:[00000030h]24_2_013F40E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F40E1 mov eax, dword ptr fs:[00000030h]24_2_013F40E1
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014220A0 mov eax, dword ptr fs:[00000030h]24_2_014220A0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014390AF mov eax, dword ptr fs:[00000030h]24_2_014390AF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov eax, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov eax, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov eax, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov ecx, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov eax, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014028AE mov eax, dword ptr fs:[00000030h]24_2_014028AE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142F0BF mov ecx, dword ptr fs:[00000030h]24_2_0142F0BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142F0BF mov eax, dword ptr fs:[00000030h]24_2_0142F0BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142F0BF mov eax, dword ptr fs:[00000030h]24_2_0142F0BF
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F70C0 mov eax, dword ptr fs:[00000030h]24_2_013F70C0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F70C0 mov eax, dword ptr fs:[00000030h]24_2_013F70C0
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C8B58 mov eax, dword ptr fs:[00000030h]24_2_014C8B58
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B5A mov eax, dword ptr fs:[00000030h]24_2_01423B5A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B5A mov eax, dword ptr fs:[00000030h]24_2_01423B5A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B5A mov eax, dword ptr fs:[00000030h]24_2_01423B5A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B5A mov eax, dword ptr fs:[00000030h]24_2_01423B5A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01486365 mov eax, dword ptr fs:[00000030h]24_2_01486365
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01486365 mov eax, dword ptr fs:[00000030h]24_2_01486365
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01486365 mov eax, dword ptr fs:[00000030h]24_2_01486365
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140F370 mov eax, dword ptr fs:[00000030h]24_2_0140F370
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140F370 mov eax, dword ptr fs:[00000030h]24_2_0140F370
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0140F370 mov eax, dword ptr fs:[00000030h]24_2_0140F370
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B7A mov eax, dword ptr fs:[00000030h]24_2_01423B7A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01423B7A mov eax, dword ptr fs:[00000030h]24_2_01423B7A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141A309 mov eax, dword ptr fs:[00000030h]24_2_0141A309
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B131B mov eax, dword ptr fs:[00000030h]24_2_014B131B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FDB60 mov ecx, dword ptr fs:[00000030h]24_2_013FDB60
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FF358 mov eax, dword ptr fs:[00000030h]24_2_013FF358
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013FDB40 mov eax, dword ptr fs:[00000030h]24_2_013FDB40
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014253C5 mov eax, dword ptr fs:[00000030h]24_2_014253C5
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014753CA mov eax, dword ptr fs:[00000030h]24_2_014753CA
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014753CA mov eax, dword ptr fs:[00000030h]24_2_014753CA
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014203E2 mov eax, dword ptr fs:[00000030h]24_2_014203E2
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141DBE9 mov eax, dword ptr fs:[00000030h]24_2_0141DBE9
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014A23E3 mov ecx, dword ptr fs:[00000030h]24_2_014A23E3
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014A23E3 mov ecx, dword ptr fs:[00000030h]24_2_014A23E3
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014A23E3 mov eax, dword ptr fs:[00000030h]24_2_014A23E3
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F4B94 mov edi, dword ptr fs:[00000030h]24_2_013F4B94
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B138A mov eax, dword ptr fs:[00000030h]24_2_014B138A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149EB8A mov ecx, dword ptr fs:[00000030h]24_2_0149EB8A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149EB8A mov eax, dword ptr fs:[00000030h]24_2_0149EB8A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149EB8A mov eax, dword ptr fs:[00000030h]24_2_0149EB8A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0149EB8A mov eax, dword ptr fs:[00000030h]24_2_0149EB8A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142138B mov eax, dword ptr fs:[00000030h]24_2_0142138B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142138B mov eax, dword ptr fs:[00000030h]24_2_0142138B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142138B mov eax, dword ptr fs:[00000030h]24_2_0142138B
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014AD380 mov ecx, dword ptr fs:[00000030h]24_2_014AD380
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01401B8F mov eax, dword ptr fs:[00000030h]24_2_01401B8F
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01401B8F mov eax, dword ptr fs:[00000030h]24_2_01401B8F
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0142B390 mov eax, dword ptr fs:[00000030h]24_2_0142B390
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01422397 mov eax, dword ptr fs:[00000030h]24_2_01422397
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F1BE9 mov eax, dword ptr fs:[00000030h]24_2_013F1BE9
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141EB9A mov eax, dword ptr fs:[00000030h]24_2_0141EB9A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_0141EB9A mov eax, dword ptr fs:[00000030h]24_2_0141EB9A
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B1BA8 mov eax, dword ptr fs:[00000030h]24_2_014B1BA8
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C5BA5 mov eax, dword ptr fs:[00000030h]24_2_014C5BA5
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01424BAD mov eax, dword ptr fs:[00000030h]24_2_01424BAD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01424BAD mov eax, dword ptr fs:[00000030h]24_2_01424BAD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01424BAD mov eax, dword ptr fs:[00000030h]24_2_01424BAD
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C9BBE mov eax, dword ptr fs:[00000030h]24_2_014C9BBE
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014C8BB6 mov eax, dword ptr fs:[00000030h]24_2_014C8BB6
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F8239 mov eax, dword ptr fs:[00000030h]24_2_013F8239
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F8239 mov eax, dword ptr fs:[00000030h]24_2_013F8239
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F8239 mov eax, dword ptr fs:[00000030h]24_2_013F8239
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014B1A5F mov eax, dword ptr fs:[00000030h]24_2_014B1A5F
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_014BEA55 mov eax, dword ptr fs:[00000030h]24_2_014BEA55
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_01484257 mov eax, dword ptr fs:[00000030h]24_2_01484257
          Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exeCode function: 24_2_013F4A20 mov eax, dword ptr fs:[00000030h]2