Windows Analysis Report
z8eokahasflcrscooplasb.exe

Overview

General Information

Sample name:	z8eokahasflcrscooplasb.exe
Analysis ID:	1544269
MD5:	1660c33123052f15e4e63891f23ddd1e
SHA1:	3b93eb0499260f494066d6a28f1238c1c440b04f
SHA256:	44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z8eokahasflcrscooplasb.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Avira: detection malicious, Label: HEUR/AGEN.1309540

Found malware configuration

Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.31231851.xyz/dn13/"], "decoy": ["5q53s.top", "f9813.top", "ysticsmoke.net", "ignorysingeysquints.cfd", "yncsignature.live", "svp-their.xyz", "outya.xyz", "wlkflwef3sf2wf.top", "etterjugfetkaril.cfd", "p9eh2s99b5.top", "400108iqlnnqi219.top", "ynsu-condition.xyz", "ndividual-bfiaen.xyz", "anceibizamagazine.net", "itrussips.live", "orkcubefood.xyz", "lindsandfurnishings.shop", "ajwmid.top", "pigramescentfeatous.shop", "mbvcv56789.click", "rmei2-cnpj.website", "81uu.top", "cis.services", "ptionsxpress-17520.vip", "ltimatraceglow.vip", "apu4dmain.cfd", "hckc-sell.xyz", "nough-smae.xyz", "fsoiw-hotel.xyz", "mile-hkajwx.xyz", "ay-hbcsg.xyz", "articulart.net", "ozezae7.pro", "asy-jatcrz.xyz", "wiftsscend.click", "tinky.vip", "ould-ktlgl.xyz", "vagames.pro", "sncmk.shop", "trategy-eyewna.xyz", "orty.pro", "hanprojects.tech", "ronsoy.vip", "aoxiangwu.top", "8tsl.fashion", "ashersmeaningmellitz.cfd", "ood-packing-iasehq19x224.today", "oldier-zjfuu.xyz", "ysterywarrior932.top", "omercialec.shop", "ashclub.xyz", "trongenergetichealth.top", "addedcaitiffcanzos.shop", "ack-gtiij.xyz", "nformation-gdrs.xyz", "ouwmsoe.top", "apermatepens.net", "5i34whsisp.top", "appen-zuxs.xyz", "trennebaffinbayamon.cfd", "nablerententeewart.shop", "xpert-private-tutors.today", "zzw-tv.xyz", "ffvd-traditional.xyz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: z8eokahasflcrscooplasb.exe	ReversingLabs: Detection: 42%
Source: z8eokahasflcrscooplasb.exe	Virustotal: Detection: 50%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z8eokahasflcrscooplasb.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: z8eokahasflcrscooplasb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z8eokahasflcrscooplasb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 4x nop then jmp 07F86DDAh	0_2_07F872B6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 4x nop then pop esi	6_2_004172E7
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 4x nop then jmp 0D546312h	8_2_0D5467EE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.31231851.xyz/dn13/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.mile-hkajwx.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.f9813.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orty.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.f9813.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orty.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.ysterywarrior932.top
Source: global traffic	DNS traffic detected: DNS query: www.mile-hkajwx.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ood-packing-iasehq19x224.today
Source: global traffic	DNS traffic detected: DNS query: www.wlkflwef3sf2wf.top
Source: global traffic	DNS traffic detected: DNS query: www.anceibizamagazine.net
Source: global traffic	DNS traffic detected: DNS query: www.ozezae7.pro
Source: global traffic	DNS traffic detected: DNS query: www.orty.pro
Source: global traffic	DNS traffic detected: DNS query: www.lindsandfurnishings.shop
Source: global traffic	DNS traffic detected: DNS query: www.ysticsmoke.net
Source: global traffic	DNS traffic detected: DNS query: www.pigramescentfeatous.shop
Source: global traffic	DNS traffic detected: DNS query: www.f9813.top

Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.4147007457.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4148545667.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4146548295.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1737247647.0000000003572000.00000004.00000800.00020000.00000000.sdmp, hmlPTospxjGJ.exe, 00000008.00000002.1779409471.0000000003140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyz
Source: explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net/dn13/www.ozezae7.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.netReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz/dn13/www.p9eh2s99b5.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyzReferer:
Source: explorer.exe, 00000007.00000003.3110687045.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151466263.000000000C9AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108517681.000000000C9A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485621993.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top/dn13/www.trennebaffinbayamon.cfd
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.topReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop/dn13/www.ysticsmoke.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shopReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz/dn13/www.ood-packing-iasehq19x224.today
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/www.wlkflwef3sf2wf.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.todayReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro/dn13/www.lindsandfurnishings.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.proReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz/dn13/www.f9813.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro/dn13/www.orty.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.proReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top/dn13/www.31231851.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop/dn13/www.outya.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shopReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741017878.0000000005D14000.00000004.00000020.00020000.00000000.sdmp, z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/www.ashclub.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfdReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/www.anceibizamagazine.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top/dn13/www.mile-hkajwx.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net/dn13/www.pigramescentfeatous.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.netReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000007.00000003.3110797722.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000007.00000002.4142329980.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718357985.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4150366155.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A3B8C NtQueryInformationProcess,	0_2_094A3B8C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8BB8 NtQueryInformationProcess,	0_2_094A8BB8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8C00 NtQueryInformationProcess,	0_2_094A8C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A320 NtCreateFile,	6_2_0041A320
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A3D0 NtReadFile,	6_2_0041A3D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A450 NtClose,	6_2_0041A450
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A500 NtAllocateVirtualMemory,	6_2_0041A500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A3CF NtReadFile,	6_2_0041A3CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A4FA NtAllocateVirtualMemory,	6_2_0041A4FA
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362B60 NtClose,LdrInitializeThunk,	6_2_01362B60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01362BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AD0 NtReadFile,LdrInitializeThunk,	6_2_01362AD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01362D30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01362D10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01362DF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01362DD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01362C70
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01362CA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F30 NtCreateSection,LdrInitializeThunk,	6_2_01362F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FB0 NtResumeThread,LdrInitializeThunk,	6_2_01362FB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01362F90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FE0 NtCreateFile,LdrInitializeThunk,	6_2_01362FE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01362EA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01362E80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01364340 NtSetContextThread,	6_2_01364340
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01364650 NtSuspendThread,	6_2_01364650
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BA0 NtEnumerateValueKey,	6_2_01362BA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362B80 NtQueryInformationFile,	6_2_01362B80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BE0 NtQueryValueKey,	6_2_01362BE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AB0 NtWaitForSingleObject,	6_2_01362AB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AF0 NtWriteFile,	6_2_01362AF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D00 NtSetInformationFile,	6_2_01362D00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DB0 NtEnumerateKey,	6_2_01362DB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C00 NtQueryInformationProcess,	6_2_01362C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C60 NtCreateKey,	6_2_01362C60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CF0 NtOpenProcess,	6_2_01362CF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CC0 NtQueryVirtualMemory,	6_2_01362CC0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F60 NtCreateProcessEx,	6_2_01362F60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FA0 NtQuerySection,	6_2_01362FA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362E30 NtWriteVirtualMemory,	6_2_01362E30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362EE0 NtQueueApcThread,	6_2_01362EE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363010 NtOpenDirectoryObject,	6_2_01363010
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363090 NtSetValueKey,	6_2_01363090
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013635C0 NtCreateMutant,	6_2_013635C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013639B0 NtGetContextThread,	6_2_013639B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363D10 NtOpenProcessToken,	6_2_01363D10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363D70 NtOpenThread,	6_2_01363D70
Source: C:\Windows\explorer.exe	Code function: 7_2_0E822E12 NtProtectVirtualMemory,	7_2_0E822E12
Source: C:\Windows\explorer.exe	Code function: 7_2_0E821232 NtCreateFile,	7_2_0E821232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E822E0A NtProtectVirtualMemory,	7_2_0E822E0A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07543B8C NtQueryInformationProcess,	8_2_07543B8C
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548C00 NtQueryInformationProcess,	8_2_07548C00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548BB8 NtQueryInformationProcess,	8_2_07548BB8

Detected potential crypto function

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_030BD3C4	0_2_030BD3C4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D7438	0_2_057D7438
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D0040	0_2_057D0040
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D0007	0_2_057D0007
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D742A	0_2_057D742A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E100	0_2_07C7E100
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E7D8	0_2_07C7E7D8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7133C	0_2_07C7133C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E0F1	0_2_07C7E0F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F88818	0_2_07F88818
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F82BEF	0_2_07F82BEF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F827C8	0_2_07F827C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F80310	0_2_07F80310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F81528	0_2_07F81528
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F810F0	0_2_07F810F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F80CB8	0_2_07F80CB8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F82C00	0_2_07F82C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A4C21	0_2_094A4C21
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A5EF8	0_2_094A5EF8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA9FF	0_2_094AA9FF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A7BE0	0_2_094A7BE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AAA10	0_2_094AAA10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8D88	0_2_094A8D88
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8018	0_2_094A8018
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A84D8	0_2_094A84D8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA778	0_2_094AA778
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA788	0_2_094AA788
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040102B	6_2_0040102B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D8C4	6_2_0041D8C4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041DCC2	6_2_0041DCC2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00409E4C	6_2_00409E4C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00409E50	6_2_00409E50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320100	6_2_01320100
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B8158	6_2_013B8158
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F01AA	6_2_013F01AA
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E41A2	6_2_013E41A2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E81CC	6_2_013E81CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA352	6_2_013EA352
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F03E6	6_2_013F03E6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B02C0	6_2_013B02C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F0591	6_2_013F0591
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4420	6_2_013D4420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E2446	6_2_013E2446
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DE4F6	6_2_013DE4F6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01354750	6_2_01354750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132C7C0	6_2_0132C7C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134C6E0	6_2_0134C6E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013FA9A6	6_2_013FA9A6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133A840	6_2_0133A840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01332840	6_2_01332840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013168B8	6_2_013168B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E8F0	6_2_0135E8F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EAB40	6_2_013EAB40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E6BD7	6_2_013E6BD7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CCD1F	6_2_013CCD1F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133AD00	6_2_0133AD00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01348DBF	6_2_01348DBF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132ADE0	6_2_0132ADE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330C00	6_2_01330C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0CB5	6_2_013D0CB5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320CF2	6_2_01320CF2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350F30	6_2_01350F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D2F30	6_2_013D2F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01372F28	6_2_01372F28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4F40	6_2_013A4F40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AEFA0	6_2_013AEFA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322FC8	6_2_01322FC8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EEE26	6_2_013EEE26
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330E59	6_2_01330E59
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342E90	6_2_01342E90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ECE93	6_2_013ECE93
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EEEDB	6_2_013EEEDB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131F172	6_2_0131F172
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013FB16B	6_2_013FB16B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136516C	6_2_0136516C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133B1B0	6_2_0133B1B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E70E9	6_2_013E70E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF0E0	6_2_013EF0E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DF0CC	6_2_013DF0CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013370C0	6_2_013370C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E132D	6_2_013E132D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131D34C	6_2_0131D34C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0137739A	6_2_0137739A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013352A0	6_2_013352A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134D2F0	6_2_0134D2F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D12ED	6_2_013D12ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134B2C0	6_2_0134B2C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7571	6_2_013E7571
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CD5B0	6_2_013CD5B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F95C3	6_2_013F95C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF43F	6_2_013EF43F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01321460	6_2_01321460
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF7B0	6_2_013EF7B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01375630	6_2_01375630
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E16CC	6_2_013E16CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C5910	6_2_013C5910
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01339950	6_2_01339950
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134B950	6_2_0134B950
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139D800	6_2_0139D800
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013338E0	6_2_013338E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFB76	6_2_013EFB76
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134FB80	6_2_0134FB80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A5BF0	6_2_013A5BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136DBF9	6_2_0136DBF9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A3A6C	6_2_013A3A6C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFA49	6_2_013EFA49
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7A46	6_2_013E7A46
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CDAAC	6_2_013CDAAC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01375AA0	6_2_01375AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D1AA3	6_2_013D1AA3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DDAC6	6_2_013DDAC6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7D73	6_2_013E7D73
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E1D5A	6_2_013E1D5A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01333D40	6_2_01333D40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134FDC0	6_2_0134FDC0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A9C32	6_2_013A9C32
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFCF2	6_2_013EFCF2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFF09	6_2_013EFF09
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFFB1	6_2_013EFFB1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01331F92	6_2_01331F92
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F3FD5	6_2_012F3FD5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F3FD2	6_2_012F3FD2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01339EB0	6_2_01339EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AA232	7_2_0E5AA232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A4B32	7_2_0E5A4B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A4B30	7_2_0E5A4B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A9036	7_2_0E5A9036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A0082	7_2_0E5A0082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A7912	7_2_0E5A7912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A1D02	7_2_0E5A1D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AD5CD	7_2_0E5AD5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E821232	7_2_0E821232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E817082	7_2_0E817082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E820036	7_2_0E820036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E8245CD	7_2_0E8245CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E818D02	7_2_0E818D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81E912	7_2_0E81E912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81BB30	7_2_0E81BB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81BB32	7_2_0E81BB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1DB30	7_2_0FD1DB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1DB32	7_2_0FD1DB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD23232	7_2_0FD23232
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD265CD	7_2_0FD265CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD20912	7_2_0FD20912
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1AD02	7_2_0FD1AD02
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD19082	7_2_0FD19082
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD22036	7_2_0FD22036
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BD3C4	8_2_014BD3C4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A7438	8_2_054A7438
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A0040	8_2_054A0040
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A0006	8_2_054A0006
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A742A	8_2_054A742A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747E100	8_2_0747E100
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747E7D8	8_2_0747E7D8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548438	8_2_07548438
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07545F00	8_2_07545F00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07544C30	8_2_07544C30
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A778	8_2_0754A778
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A788	8_2_0754A788
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07547F78	8_2_07547F78
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07545EF2	8_2_07545EF2
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548D88	8_2_07548D88
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07544C21	8_2_07544C21
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07547B40	8_2_07547B40
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754AA10	8_2_0754AA10
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A9FF	8_2_0754A9FF
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D547D58	8_2_0D547D58
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D541528	8_2_0D541528
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D542C00	8_2_0D542C00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D5410F0	8_2_0D5410F0
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D540C84	8_2_0D540C84
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D540CB8	8_2_0D540CB8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D5427C8	8_2_0D5427C8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D542BEF	8_2_0D542BEF

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 013AF290 appears 103 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 01365130 appears 58 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 0139EA12 appears 86 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 01377E54 appears 107 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 0131B970 appears 262 times

Sample file is different than original file name gathered from version info

Source: z8eokahasflcrscooplasb.exe, 00000000.00000000.1690667748.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1742886010.0000000007EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: \[FileVersionLegalCopyrightOriginalFilenameInternalNameCompanyNameProductNameProductVersionFileDescription vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.000000000141D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003471000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe	Binary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe

Uses 32bit PE files

Source: z8eokahasflcrscooplasb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: z8eokahasflcrscooplasb.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hmlPTospxjGJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@275/11@11/0

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Mutant created: \Sessions\1\BaseNamedObjects\TshhkPVhzWqKSHWyhPH

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8D16.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: z8eokahasflcrscooplasb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z8eokahasflcrscooplasb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z8eokahasflcrscooplasb.exe	ReversingLabs: Detection: 42%
Source: z8eokahasflcrscooplasb.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File read: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: credui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: z8eokahasflcrscooplasb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z8eokahasflcrscooplasb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.5e70000.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_030BF550 pushfd ; iretd	0_2_030BF551
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_058CE4D0 pushfd ; retf	0_2_058CE4D9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_058C9A38 push eax; mov dword ptr [esp], ecx	0_2_058C9A3C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7A656 push FFFFFF8Bh; iretd	0_2_07C7A65A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040E851 push es; ret	6_2_0040E852
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040E32C push ecx; retf	6_2_0040E32D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00416BE6 push FFFFFF97h; retf	6_2_00416BEB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D475 push eax; ret	6_2_0041D4C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D4C2 push eax; ret	6_2_0041D4C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D4CB push eax; ret	6_2_0041D532
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D52C push eax; ret	6_2_0041D532
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F225F pushad ; ret	6_2_012F27F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F27FA pushad ; ret	6_2_012F27F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD push ecx; mov dword ptr [esp], ecx	6_2_013209B6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F283D push eax; iretd	6_2_012F2858
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F1368 push eax; iretd	6_2_012F1369
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5ADB1E push esp; retn 0000h	7_2_0E5ADB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5ADB02 push esp; retn 0000h	7_2_0E5ADB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AD9B5 push esp; retn 0000h	7_2_0E5ADAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0E8249B5 push esp; retn 0000h	7_2_0E824AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0E824B02 push esp; retn 0000h	7_2_0E824B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E824B1E push esp; retn 0000h	7_2_0E824B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD26B1E push esp; retn 0000h	7_2_0FD26B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD26B02 push esp; retn 0000h	7_2_0FD26B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD269B5 push esp; retn 0000h	7_2_0FD26AE7
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BF552 push esp; iretd	8_2_014BF559
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BF550 pushfd ; iretd	8_2_014BF551
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747A658 push FFFFFF8Bh; iretd	8_2_0747A65A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07475430 push eax; ret	8_2_07475471

Source: z8eokahasflcrscooplasb.exe	Static PE information: section name: .text entropy: 7.682191163103425
Source: hmlPTospxjGJ.exe.0.dr	Static PE information: section name: .text entropy: 7.682191163103425

Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'

Drops PE files

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: A69904 second address: A6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: A69B6E second address: A69B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 4F9904 second address: 4F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 4F9B6E second address: 4F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 95F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: A5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: A800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: B800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: BF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: CF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: DF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 7690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: ABE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: B540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: C540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: D550000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6723	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2950	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 419	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9525	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9727

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe TID: 6632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep count: 419 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep time: -838000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep count: 9525 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep time: -19050000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep count: 242 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep time: -484000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep count: 9727 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep time: -19454000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000007.00000000.1721047830.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000151B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4144709532.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000007.00000002.4147527518.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350124 mov eax, dword ptr fs:[00000030h]	6_2_01350124
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov ecx, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E0115 mov eax, dword ptr fs:[00000030h]	6_2_013E0115
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]	6_2_013F4164
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]	6_2_013F4164
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B8158 mov eax, dword ptr fs:[00000030h]	6_2_013B8158
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]	6_2_01326154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]	6_2_01326154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C156 mov eax, dword ptr fs:[00000030h]	6_2_0131C156
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov ecx, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01360185 mov eax, dword ptr fs:[00000030h]	6_2_01360185
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]	6_2_013DC188
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]	6_2_013DC188
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]	6_2_013C4180
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]	6_2_013C4180
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013501F8 mov eax, dword ptr fs:[00000030h]	6_2_013501F8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F61E5 mov eax, dword ptr fs:[00000030h]	6_2_013F61E5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]	6_2_013E61C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]	6_2_013E61C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6030 mov eax, dword ptr fs:[00000030h]	6_2_013B6030
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A020 mov eax, dword ptr fs:[00000030h]	6_2_0131A020
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C020 mov eax, dword ptr fs:[00000030h]	6_2_0131C020
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4000 mov ecx, dword ptr fs:[00000030h]	6_2_013A4000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134C073 mov eax, dword ptr fs:[00000030h]	6_2_0134C073
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322050 mov eax, dword ptr fs:[00000030h]	6_2_01322050
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6050 mov eax, dword ptr fs:[00000030h]	6_2_013A6050
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E60B8 mov eax, dword ptr fs:[00000030h]	6_2_013E60B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E60B8 mov ecx, dword ptr fs:[00000030h]	6_2_013E60B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013180A0 mov eax, dword ptr fs:[00000030h]	6_2_013180A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B80A8 mov eax, dword ptr fs:[00000030h]	6_2_013B80A8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132208A mov eax, dword ptr fs:[00000030h]	6_2_0132208A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0131C0F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013620F0 mov ecx, dword ptr fs:[00000030h]	6_2_013620F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0131A0E3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A60E0 mov eax, dword ptr fs:[00000030h]	6_2_013A60E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013280E9 mov eax, dword ptr fs:[00000030h]	6_2_013280E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A20DE mov eax, dword ptr fs:[00000030h]	6_2_013A20DE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov ecx, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C310 mov ecx, dword ptr fs:[00000030h]	6_2_0131C310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340310 mov ecx, dword ptr fs:[00000030h]	6_2_01340310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C437C mov eax, dword ptr fs:[00000030h]	6_2_013C437C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov ecx, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA352 mov eax, dword ptr fs:[00000030h]	6_2_013EA352
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C8350 mov ecx, dword ptr fs:[00000030h]	6_2_013C8350
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F634F mov eax, dword ptr fs:[00000030h]	6_2_013F634F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]	6_2_0134438F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]	6_2_0134438F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013563FF mov eax, dword ptr fs:[00000030h]	6_2_013563FF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov ecx, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]	6_2_013C43D4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]	6_2_013C43D4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC3CD mov eax, dword ptr fs:[00000030h]	6_2_013DC3CD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A63C0 mov eax, dword ptr fs:[00000030h]	6_2_013A63C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131823B mov eax, dword ptr fs:[00000030h]	6_2_0131823B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131826B mov eax, dword ptr fs:[00000030h]	6_2_0131826B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A250 mov eax, dword ptr fs:[00000030h]	6_2_0131A250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F625D mov eax, dword ptr fs:[00000030h]	6_2_013F625D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326259 mov eax, dword ptr fs:[00000030h]	6_2_01326259
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]	6_2_013DA250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]	6_2_013DA250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A8243 mov eax, dword ptr fs:[00000030h]	6_2_013A8243
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A8243 mov ecx, dword ptr fs:[00000030h]	6_2_013A8243
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]	6_2_013302A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]	6_2_013302A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov ecx, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]	6_2_0135E284
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]	6_2_0135E284
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F62D6 mov eax, dword ptr fs:[00000030h]	6_2_013F62D6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6500 mov eax, dword ptr fs:[00000030h]	6_2_013B6500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]	6_2_01328550
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]	6_2_01328550
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]	6_2_013445B1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]	6_2_013445B1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E59C mov eax, dword ptr fs:[00000030h]	6_2_0135E59C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322582 mov eax, dword ptr fs:[00000030h]	6_2_01322582
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322582 mov ecx, dword ptr fs:[00000030h]	6_2_01322582
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01354588 mov eax, dword ptr fs:[00000030h]	6_2_01354588
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013225E0 mov eax, dword ptr fs:[00000030h]	6_2_013225E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]	6_2_0135C5ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]	6_2_0135C5ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013265D0 mov eax, dword ptr fs:[00000030h]	6_2_013265D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0135A5D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0135A5D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]	6_2_0135E5CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]	6_2_0135E5CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C427 mov eax, dword ptr fs:[00000030h]	6_2_0131C427
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC460 mov ecx, dword ptr fs:[00000030h]	6_2_013AC460
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA456 mov eax, dword ptr fs:[00000030h]	6_2_013DA456
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131645D mov eax, dword ptr fs:[00000030h]	6_2_0131645D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134245A mov eax, dword ptr fs:[00000030h]	6_2_0134245A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013544B0 mov ecx, dword ptr fs:[00000030h]	6_2_013544B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AA4B0 mov eax, dword ptr fs:[00000030h]	6_2_013AA4B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013264AB mov eax, dword ptr fs:[00000030h]	6_2_013264AB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA49A mov eax, dword ptr fs:[00000030h]	6_2_013DA49A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013204E5 mov ecx, dword ptr fs:[00000030h]	6_2_013204E5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov ecx, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139C730 mov eax, dword ptr fs:[00000030h]	6_2_0139C730
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]	6_2_0135C720
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]	6_2_0135C720
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320710 mov eax, dword ptr fs:[00000030h]	6_2_01320710
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350710 mov eax, dword ptr fs:[00000030h]	6_2_01350710
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C700 mov eax, dword ptr fs:[00000030h]	6_2_0135C700
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328770 mov eax, dword ptr fs:[00000030h]	6_2_01328770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320750 mov eax, dword ptr fs:[00000030h]	6_2_01320750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]	6_2_01362750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]	6_2_01362750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE75D mov eax, dword ptr fs:[00000030h]	6_2_013AE75D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4755 mov eax, dword ptr fs:[00000030h]	6_2_013A4755
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov esi, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013207AF mov eax, dword ptr fs:[00000030h]	6_2_013207AF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D47A0 mov eax, dword ptr fs:[00000030h]	6_2_013D47A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C678E mov eax, dword ptr fs:[00000030h]	6_2_013C678E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]	6_2_013247FB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]	6_2_013247FB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE7E1 mov eax, dword ptr fs:[00000030h]	6_2_013AE7E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0132C7C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A07C3 mov eax, dword ptr fs:[00000030h]	6_2_013A07C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E627 mov eax, dword ptr fs:[00000030h]	6_2_0133E627
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01356620 mov eax, dword ptr fs:[00000030h]	6_2_01356620
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358620 mov eax, dword ptr fs:[00000030h]	6_2_01358620
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132262C mov eax, dword ptr fs:[00000030h]	6_2_0132262C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362619 mov eax, dword ptr fs:[00000030h]	6_2_01362619
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E609 mov eax, dword ptr fs:[00000030h]	6_2_0139E609
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01352674 mov eax, dword ptr fs:[00000030h]	6_2_01352674
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]	6_2_013E866E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]	6_2_013E866E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]	6_2_0135A660
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]	6_2_0135A660
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133C640 mov eax, dword ptr fs:[00000030h]	6_2_0133C640
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013566B0 mov eax, dword ptr fs:[00000030h]	6_2_013566B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0135C6A6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]	6_2_01324690
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]	6_2_01324690
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]	6_2_013A06F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]	6_2_013A06F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0135A6C7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0135A6C7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A892A mov eax, dword ptr fs:[00000030h]	6_2_013A892A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B892B mov eax, dword ptr fs:[00000030h]	6_2_013B892B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC912 mov eax, dword ptr fs:[00000030h]	6_2_013AC912
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]	6_2_01318918
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]	6_2_01318918
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]	6_2_0139E908
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]	6_2_0139E908
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]	6_2_013C4978
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]	6_2_013C4978
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC97C mov eax, dword ptr fs:[00000030h]	6_2_013AC97C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov edx, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0946 mov eax, dword ptr fs:[00000030h]	6_2_013A0946
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4940 mov eax, dword ptr fs:[00000030h]	6_2_013F4940
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov esi, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]	6_2_013209AD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]	6_2_013209AD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]	6_2_013529F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]	6_2_013529F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE9E0 mov eax, dword ptr fs:[00000030h]	6_2_013AE9E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013549D0 mov eax, dword ptr fs:[00000030h]	6_2_013549D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA9D3 mov eax, dword ptr fs:[00000030h]	6_2_013EA9D3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B69C0 mov eax, dword ptr fs:[00000030h]	6_2_013B69C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov ecx, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A830 mov eax, dword ptr fs:[00000030h]	6_2_0135A830
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]	6_2_013C483A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]	6_2_013C483A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC810 mov eax, dword ptr fs:[00000030h]	6_2_013AC810
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]	6_2_013AE872
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]	6_2_013AE872
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]	6_2_013B6870
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]	6_2_013B6870
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350854 mov eax, dword ptr fs:[00000030h]	6_2_01350854
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]	6_2_01324859
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]	6_2_01324859
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01332840 mov ecx, dword ptr fs:[00000030h]	6_2_01332840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC89D mov eax, dword ptr fs:[00000030h]	6_2_013AC89D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320887 mov eax, dword ptr fs:[00000030h]	6_2_01320887
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0135C8F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0135C8F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA8E4 mov eax, dword ptr fs:[00000030h]	6_2_013EA8E4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0134E8C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F08C0 mov eax, dword ptr fs:[00000030h]	6_2_013F08C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]	6_2_0134EB20
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]	6_2_0134EB20
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]	6_2_013E8B28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]	6_2_013E8B28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4B00 mov eax, dword ptr fs:[00000030h]	6_2_013F4B00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131CB7E mov eax, dword ptr fs:[00000030h]	6_2_0131CB7E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318B50 mov eax, dword ptr fs:[00000030h]	6_2_01318B50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEB50 mov eax, dword ptr fs:[00000030h]	6_2_013CEB50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]	6_2_013D4B4B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]	6_2_013D4B4B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]	6_2_013B6B40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]	6_2_013B6B40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EAB40 mov eax, dword ptr fs:[00000030h]	6_2_013EAB40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C8B42 mov eax, dword ptr fs:[00000030h]	6_2_013C8B42
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]	6_2_01330BBE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]	6_2_01330BBE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]	6_2_013D4BB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]	6_2_013D4BB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EBFC mov eax, dword ptr fs:[00000030h]	6_2_0134EBFC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ACBF0 mov eax, dword ptr fs:[00000030h]	6_2_013ACBF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEBD0 mov eax, dword ptr fs:[00000030h]	6_2_013CEBD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]	6_2_01344A35
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]	6_2_01344A35
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA24 mov eax, dword ptr fs:[00000030h]	6_2_0135CA24
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EA2E mov eax, dword ptr fs:[00000030h]	6_2_0134EA2E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ACA11 mov eax, dword ptr fs:[00000030h]	6_2_013ACA11
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]	6_2_0139CA72
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]	6_2_0139CA72
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEA60 mov eax, dword ptr fs:[00000030h]	6_2_013CEA60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]	6_2_01330A5B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]	6_2_01330A5B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]	6_2_01328AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]	6_2_01328AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01376AA4 mov eax, dword ptr fs:[00000030h]	6_2_01376AA4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358A90 mov edx, dword ptr fs:[00000030h]	6_2_01358A90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80

Enables debug privileges

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	NtClose: Indirect: 0x12CA56C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	NtQueueApcThread: Indirect: 0x12CA4F2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	NtClose: Indirect: 0xD9A56C
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	NtQueueApcThread: Indirect: 0xD9A4F2

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory written: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory written: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 2580
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread register set: target process: 2580

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: B10000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: B30000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"

Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
www.orty.pro	unknown	unknown
www.ysticsmoke.net	unknown	unknown
www.f9813.top	unknown	unknown
www.mile-hkajwx.xyz	unknown	unknown
www.ysterywarrior932.top	unknown	unknown
www.pigramescentfeatous.shop	unknown	unknown
www.ood-packing-iasehq19x224.today	unknown	unknown
www.wlkflwef3sf2wf.top	unknown	unknown
www.lindsandfurnishings.shop	unknown	unknown
www.ozezae7.pro	unknown	unknown
www.anceibizamagazine.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.31231851.xyz/dn13/	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z8eokahasflcrscooplasb.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Avira: detection malicious, Label: HEUR/AGEN.1309540

Found malware configuration

Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: z8eokahasflcrscooplasb.exe	ReversingLabs: Detection: 42%
Source: z8eokahasflcrscooplasb.exe	Virustotal: Detection: 50%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z8eokahasflcrscooplasb.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: z8eokahasflcrscooplasb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z8eokahasflcrscooplasb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 4x nop then jmp 07F86DDAh	0_2_07F872B6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 4x nop then pop esi	6_2_004172E7
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 4x nop then jmp 0D546312h	8_2_0D5467EE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.31231851.xyz/dn13/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.mile-hkajwx.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.f9813.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orty.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.f9813.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orty.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.ysterywarrior932.top
Source: global traffic	DNS traffic detected: DNS query: www.mile-hkajwx.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ood-packing-iasehq19x224.today
Source: global traffic	DNS traffic detected: DNS query: www.wlkflwef3sf2wf.top
Source: global traffic	DNS traffic detected: DNS query: www.anceibizamagazine.net
Source: global traffic	DNS traffic detected: DNS query: www.ozezae7.pro
Source: global traffic	DNS traffic detected: DNS query: www.orty.pro
Source: global traffic	DNS traffic detected: DNS query: www.lindsandfurnishings.shop
Source: global traffic	DNS traffic detected: DNS query: www.ysticsmoke.net
Source: global traffic	DNS traffic detected: DNS query: www.pigramescentfeatous.shop
Source: global traffic	DNS traffic detected: DNS query: www.f9813.top

Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.4147007457.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4148545667.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4146548295.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1737247647.0000000003572000.00000004.00000800.00020000.00000000.sdmp, hmlPTospxjGJ.exe, 00000008.00000002.1779409471.0000000003140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyz
Source: explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.31231851.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.net/dn13/www.ozezae7.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anceibizamagazine.netReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyz/dn13/www.p9eh2s99b5.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashclub.xyzReferer:
Source: explorer.exe, 00000007.00000003.3110687045.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151466263.000000000C9AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108517681.000000000C9A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485621993.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.top/dn13/www.trennebaffinbayamon.cfd
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f9813.topReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shop/dn13/www.ysticsmoke.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lindsandfurnishings.shopReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyz/dn13/www.ood-packing-iasehq19x224.today
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mile-hkajwx.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/www.wlkflwef3sf2wf.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ood-packing-iasehq19x224.todayReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.pro/dn13/www.lindsandfurnishings.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orty.proReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyz/dn13/www.f9813.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outya.xyzReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.pro/dn13/www.orty.pro
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozezae7.proReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.top/dn13/www.31231851.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p9eh2s99b5.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shop/dn13/www.outya.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pigramescentfeatous.shopReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741017878.0000000005D14000.00000004.00000020.00020000.00000000.sdmp, z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/www.ashclub.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trennebaffinbayamon.cfdReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/www.anceibizamagazine.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wlkflwef3sf2wf.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.top/dn13/www.mile-hkajwx.xyz
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysterywarrior932.topReferer:
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net/dn13/
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.net/dn13/www.pigramescentfeatous.shop
Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ysticsmoke.netReferer:
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000007.00000003.3110797722.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000007.00000002.4142329980.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718357985.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4150366155.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A3B8C NtQueryInformationProcess,	0_2_094A3B8C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8BB8 NtQueryInformationProcess,	0_2_094A8BB8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8C00 NtQueryInformationProcess,	0_2_094A8C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A320 NtCreateFile,	6_2_0041A320
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A3D0 NtReadFile,	6_2_0041A3D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A450 NtClose,	6_2_0041A450
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A500 NtAllocateVirtualMemory,	6_2_0041A500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A3CF NtReadFile,	6_2_0041A3CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041A4FA NtAllocateVirtualMemory,	6_2_0041A4FA
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362B60 NtClose,LdrInitializeThunk,	6_2_01362B60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01362BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AD0 NtReadFile,LdrInitializeThunk,	6_2_01362AD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01362D30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01362D10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01362DF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01362DD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01362C70
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01362CA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F30 NtCreateSection,LdrInitializeThunk,	6_2_01362F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FB0 NtResumeThread,LdrInitializeThunk,	6_2_01362FB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01362F90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FE0 NtCreateFile,LdrInitializeThunk,	6_2_01362FE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01362EA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01362E80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01364340 NtSetContextThread,	6_2_01364340
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01364650 NtSuspendThread,	6_2_01364650
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BA0 NtEnumerateValueKey,	6_2_01362BA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362B80 NtQueryInformationFile,	6_2_01362B80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362BE0 NtQueryValueKey,	6_2_01362BE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AB0 NtWaitForSingleObject,	6_2_01362AB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362AF0 NtWriteFile,	6_2_01362AF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362D00 NtSetInformationFile,	6_2_01362D00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362DB0 NtEnumerateKey,	6_2_01362DB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C00 NtQueryInformationProcess,	6_2_01362C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362C60 NtCreateKey,	6_2_01362C60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CF0 NtOpenProcess,	6_2_01362CF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362CC0 NtQueryVirtualMemory,	6_2_01362CC0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362F60 NtCreateProcessEx,	6_2_01362F60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362FA0 NtQuerySection,	6_2_01362FA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362E30 NtWriteVirtualMemory,	6_2_01362E30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362EE0 NtQueueApcThread,	6_2_01362EE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363010 NtOpenDirectoryObject,	6_2_01363010
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363090 NtSetValueKey,	6_2_01363090
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013635C0 NtCreateMutant,	6_2_013635C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013639B0 NtGetContextThread,	6_2_013639B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363D10 NtOpenProcessToken,	6_2_01363D10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01363D70 NtOpenThread,	6_2_01363D70
Source: C:\Windows\explorer.exe	Code function: 7_2_0E822E12 NtProtectVirtualMemory,	7_2_0E822E12
Source: C:\Windows\explorer.exe	Code function: 7_2_0E821232 NtCreateFile,	7_2_0E821232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E822E0A NtProtectVirtualMemory,	7_2_0E822E0A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07543B8C NtQueryInformationProcess,	8_2_07543B8C
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548C00 NtQueryInformationProcess,	8_2_07548C00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548BB8 NtQueryInformationProcess,	8_2_07548BB8

Detected potential crypto function

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_030BD3C4	0_2_030BD3C4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D7438	0_2_057D7438
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D0040	0_2_057D0040
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D0007	0_2_057D0007
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_057D742A	0_2_057D742A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E100	0_2_07C7E100
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E7D8	0_2_07C7E7D8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7133C	0_2_07C7133C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7E0F1	0_2_07C7E0F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F88818	0_2_07F88818
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F82BEF	0_2_07F82BEF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F827C8	0_2_07F827C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F80310	0_2_07F80310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F81528	0_2_07F81528
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F810F0	0_2_07F810F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F80CB8	0_2_07F80CB8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07F82C00	0_2_07F82C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A4C21	0_2_094A4C21
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A5EF8	0_2_094A5EF8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA9FF	0_2_094AA9FF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A7BE0	0_2_094A7BE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AAA10	0_2_094AAA10
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8D88	0_2_094A8D88
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A8018	0_2_094A8018
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094A84D8	0_2_094A84D8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA778	0_2_094AA778
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_094AA788	0_2_094AA788
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040102B	6_2_0040102B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D8C4	6_2_0041D8C4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041DCC2	6_2_0041DCC2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00409E4C	6_2_00409E4C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00409E50	6_2_00409E50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320100	6_2_01320100
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B8158	6_2_013B8158
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F01AA	6_2_013F01AA
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E41A2	6_2_013E41A2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E81CC	6_2_013E81CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA352	6_2_013EA352
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F03E6	6_2_013F03E6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B02C0	6_2_013B02C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F0591	6_2_013F0591
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4420	6_2_013D4420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E2446	6_2_013E2446
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DE4F6	6_2_013DE4F6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01354750	6_2_01354750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132C7C0	6_2_0132C7C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134C6E0	6_2_0134C6E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013FA9A6	6_2_013FA9A6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133A840	6_2_0133A840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01332840	6_2_01332840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013168B8	6_2_013168B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E8F0	6_2_0135E8F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EAB40	6_2_013EAB40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E6BD7	6_2_013E6BD7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CCD1F	6_2_013CCD1F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133AD00	6_2_0133AD00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01348DBF	6_2_01348DBF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132ADE0	6_2_0132ADE0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330C00	6_2_01330C00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0CB5	6_2_013D0CB5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320CF2	6_2_01320CF2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350F30	6_2_01350F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D2F30	6_2_013D2F30
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01372F28	6_2_01372F28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4F40	6_2_013A4F40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AEFA0	6_2_013AEFA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322FC8	6_2_01322FC8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EEE26	6_2_013EEE26
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330E59	6_2_01330E59
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342E90	6_2_01342E90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ECE93	6_2_013ECE93
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EEEDB	6_2_013EEEDB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131F172	6_2_0131F172
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013FB16B	6_2_013FB16B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136516C	6_2_0136516C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133B1B0	6_2_0133B1B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E70E9	6_2_013E70E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF0E0	6_2_013EF0E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DF0CC	6_2_013DF0CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013370C0	6_2_013370C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E132D	6_2_013E132D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131D34C	6_2_0131D34C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0137739A	6_2_0137739A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013352A0	6_2_013352A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134D2F0	6_2_0134D2F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D12ED	6_2_013D12ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134B2C0	6_2_0134B2C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7571	6_2_013E7571
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CD5B0	6_2_013CD5B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F95C3	6_2_013F95C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF43F	6_2_013EF43F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01321460	6_2_01321460
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EF7B0	6_2_013EF7B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01375630	6_2_01375630
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E16CC	6_2_013E16CC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C5910	6_2_013C5910
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01339950	6_2_01339950
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134B950	6_2_0134B950
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139D800	6_2_0139D800
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013338E0	6_2_013338E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFB76	6_2_013EFB76
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134FB80	6_2_0134FB80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A5BF0	6_2_013A5BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136DBF9	6_2_0136DBF9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A3A6C	6_2_013A3A6C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFA49	6_2_013EFA49
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7A46	6_2_013E7A46
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CDAAC	6_2_013CDAAC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01375AA0	6_2_01375AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D1AA3	6_2_013D1AA3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DDAC6	6_2_013DDAC6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E7D73	6_2_013E7D73
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E1D5A	6_2_013E1D5A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01333D40	6_2_01333D40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134FDC0	6_2_0134FDC0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A9C32	6_2_013A9C32
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFCF2	6_2_013EFCF2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFF09	6_2_013EFF09
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EFFB1	6_2_013EFFB1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01331F92	6_2_01331F92
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F3FD5	6_2_012F3FD5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F3FD2	6_2_012F3FD2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01339EB0	6_2_01339EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AA232	7_2_0E5AA232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A4B32	7_2_0E5A4B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A4B30	7_2_0E5A4B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A9036	7_2_0E5A9036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A0082	7_2_0E5A0082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A7912	7_2_0E5A7912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5A1D02	7_2_0E5A1D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AD5CD	7_2_0E5AD5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E821232	7_2_0E821232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E817082	7_2_0E817082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E820036	7_2_0E820036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E8245CD	7_2_0E8245CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E818D02	7_2_0E818D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81E912	7_2_0E81E912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81BB30	7_2_0E81BB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E81BB32	7_2_0E81BB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1DB30	7_2_0FD1DB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1DB32	7_2_0FD1DB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD23232	7_2_0FD23232
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD265CD	7_2_0FD265CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD20912	7_2_0FD20912
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD1AD02	7_2_0FD1AD02
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD19082	7_2_0FD19082
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD22036	7_2_0FD22036
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BD3C4	8_2_014BD3C4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A7438	8_2_054A7438
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A0040	8_2_054A0040
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A0006	8_2_054A0006
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_054A742A	8_2_054A742A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747E100	8_2_0747E100
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747E7D8	8_2_0747E7D8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548438	8_2_07548438
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07545F00	8_2_07545F00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07544C30	8_2_07544C30
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A778	8_2_0754A778
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A788	8_2_0754A788
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07547F78	8_2_07547F78
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07545EF2	8_2_07545EF2
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07548D88	8_2_07548D88
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07544C21	8_2_07544C21
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07547B40	8_2_07547B40
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754AA10	8_2_0754AA10
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0754A9FF	8_2_0754A9FF
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D547D58	8_2_0D547D58
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D541528	8_2_0D541528
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D542C00	8_2_0D542C00
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D5410F0	8_2_0D5410F0
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D540C84	8_2_0D540C84
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D540CB8	8_2_0D540CB8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D5427C8	8_2_0D5427C8
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0D542BEF	8_2_0D542BEF

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 013AF290 appears 103 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 01365130 appears 58 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 0139EA12 appears 86 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 01377E54 appears 107 times
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: String function: 0131B970 appears 262 times

Sample file is different than original file name gathered from version info

Source: z8eokahasflcrscooplasb.exe, 00000000.00000000.1690667748.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1742886010.0000000007EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: \[FileVersionLegalCopyrightOriginalFilenameInternalNameCompanyNameProductNameProductVersionFileDescription vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.000000000141D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003471000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs z8eokahasflcrscooplasb.exe
Source: z8eokahasflcrscooplasb.exe	Binary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe

Uses 32bit PE files

Source: z8eokahasflcrscooplasb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: z8eokahasflcrscooplasb.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hmlPTospxjGJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@275/11@11/0

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Mutant created: \Sessions\1\BaseNamedObjects\TshhkPVhzWqKSHWyhPH

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8D16.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: z8eokahasflcrscooplasb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z8eokahasflcrscooplasb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z8eokahasflcrscooplasb.exe	ReversingLabs: Detection: 42%
Source: z8eokahasflcrscooplasb.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File read: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: credui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: z8eokahasflcrscooplasb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z8eokahasflcrscooplasb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.5e70000.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_030BF550 pushfd ; iretd	0_2_030BF551
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_058CE4D0 pushfd ; retf	0_2_058CE4D9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_058C9A38 push eax; mov dword ptr [esp], ecx	0_2_058C9A3C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 0_2_07C7A656 push FFFFFF8Bh; iretd	0_2_07C7A65A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040E851 push es; ret	6_2_0040E852
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0040E32C push ecx; retf	6_2_0040E32D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_00416BE6 push FFFFFF97h; retf	6_2_00416BEB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D475 push eax; ret	6_2_0041D4C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D4C2 push eax; ret	6_2_0041D4C8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D4CB push eax; ret	6_2_0041D532
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0041D52C push eax; ret	6_2_0041D532
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F225F pushad ; ret	6_2_012F27F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F27FA pushad ; ret	6_2_012F27F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD push ecx; mov dword ptr [esp], ecx	6_2_013209B6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F283D push eax; iretd	6_2_012F2858
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_012F1368 push eax; iretd	6_2_012F1369
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5ADB1E push esp; retn 0000h	7_2_0E5ADB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5ADB02 push esp; retn 0000h	7_2_0E5ADB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5AD9B5 push esp; retn 0000h	7_2_0E5ADAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0E8249B5 push esp; retn 0000h	7_2_0E824AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0E824B02 push esp; retn 0000h	7_2_0E824B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E824B1E push esp; retn 0000h	7_2_0E824B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD26B1E push esp; retn 0000h	7_2_0FD26B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD26B02 push esp; retn 0000h	7_2_0FD26B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0FD269B5 push esp; retn 0000h	7_2_0FD26AE7
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BF552 push esp; iretd	8_2_014BF559
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_014BF550 pushfd ; iretd	8_2_014BF551
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_0747A658 push FFFFFF8Bh; iretd	8_2_0747A65A
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Code function: 8_2_07475430 push eax; ret	8_2_07475471

Source: z8eokahasflcrscooplasb.exe	Static PE information: section name: .text entropy: 7.682191163103425
Source: hmlPTospxjGJ.exe.0.dr	Static PE information: section name: .text entropy: 7.682191163103425

Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, nje90hqm69TkyRcnXC.cs	High entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs	High entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, F11h69LqNbPf7b3XvB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, a7JefkT7Z2TtvZZnlq.cs	High entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.cs	High entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, da3D1Z8UpD8wtXdnkt.cs	High entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SoxLsa3qFKPFlIZhrF.cs	High entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, igfRPpFCAWqLyFLFLD.cs	High entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.cs	High entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, WaPWrpmndIlEOpwLqlY.cs	High entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, kEJhRxotcfmbENZCX3.cs	High entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, ILOV13HjDVch5qin0E.cs	High entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SIaKdCJeuGaUl0nEW8.cs	High entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.cs	High entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.cs	High entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, bXR3LJvGI9qF9TPnWA.cs	High entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, o0sCkAzLFKOQbKwmSv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, vNW6mUaGNdZhkYQKnA.cs	High entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DRw66CDUGC4CVZZDrD.cs	High entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, yPqGQ9pWmptAFYRbaj.cs	High entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.cs	High entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'

Drops PE files

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

File created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: A69904 second address: A6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: A69B6E second address: A69B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 4F9904 second address: 4F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 4F9B6E second address: 4F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: 95F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: A5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: A800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: B800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: BF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: CF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory allocated: DF90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 7690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: ABE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: B540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: C540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory allocated: D550000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6723	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2950	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 419	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9525	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9727

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe TID: 6632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep count: 419 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep time: -838000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep count: 9525 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep time: -19050000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep count: 242 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep time: -484000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep count: 9727 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660	Thread sleep time: -19454000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000007.00000000.1721047830.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000151B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4144709532.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000007.00000002.4147527518.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350124 mov eax, dword ptr fs:[00000030h]	6_2_01350124
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov ecx, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]	6_2_013CA118
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E0115 mov eax, dword ptr fs:[00000030h]	6_2_013E0115
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]	6_2_013CE10E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]	6_2_013F4164
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]	6_2_013F4164
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B8158 mov eax, dword ptr fs:[00000030h]	6_2_013B8158
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]	6_2_01326154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]	6_2_01326154
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C156 mov eax, dword ptr fs:[00000030h]	6_2_0131C156
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov ecx, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]	6_2_013B4144
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]	6_2_013A019F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]	6_2_0131A197
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01360185 mov eax, dword ptr fs:[00000030h]	6_2_01360185
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]	6_2_013DC188
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]	6_2_013DC188
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]	6_2_013C4180
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]	6_2_013C4180
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013501F8 mov eax, dword ptr fs:[00000030h]	6_2_013501F8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F61E5 mov eax, dword ptr fs:[00000030h]	6_2_013F61E5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0139E1D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]	6_2_013E61C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]	6_2_013E61C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6030 mov eax, dword ptr fs:[00000030h]	6_2_013B6030
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A020 mov eax, dword ptr fs:[00000030h]	6_2_0131A020
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C020 mov eax, dword ptr fs:[00000030h]	6_2_0131C020
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]	6_2_0133E016
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4000 mov ecx, dword ptr fs:[00000030h]	6_2_013A4000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]	6_2_013C2000
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134C073 mov eax, dword ptr fs:[00000030h]	6_2_0134C073
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322050 mov eax, dword ptr fs:[00000030h]	6_2_01322050
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6050 mov eax, dword ptr fs:[00000030h]	6_2_013A6050
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E60B8 mov eax, dword ptr fs:[00000030h]	6_2_013E60B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E60B8 mov ecx, dword ptr fs:[00000030h]	6_2_013E60B8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013180A0 mov eax, dword ptr fs:[00000030h]	6_2_013180A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B80A8 mov eax, dword ptr fs:[00000030h]	6_2_013B80A8
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132208A mov eax, dword ptr fs:[00000030h]	6_2_0132208A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0131C0F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013620F0 mov ecx, dword ptr fs:[00000030h]	6_2_013620F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0131A0E3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A60E0 mov eax, dword ptr fs:[00000030h]	6_2_013A60E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013280E9 mov eax, dword ptr fs:[00000030h]	6_2_013280E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A20DE mov eax, dword ptr fs:[00000030h]	6_2_013A20DE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov ecx, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]	6_2_013F8324
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C310 mov ecx, dword ptr fs:[00000030h]	6_2_0131C310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340310 mov ecx, dword ptr fs:[00000030h]	6_2_01340310
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]	6_2_0135A30B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C437C mov eax, dword ptr fs:[00000030h]	6_2_013C437C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov ecx, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]	6_2_013A035C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA352 mov eax, dword ptr fs:[00000030h]	6_2_013EA352
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C8350 mov ecx, dword ptr fs:[00000030h]	6_2_013C8350
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F634F mov eax, dword ptr fs:[00000030h]	6_2_013F634F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]	6_2_013A2349
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]	6_2_01318397
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]	6_2_0131E388
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]	6_2_0134438F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]	6_2_0134438F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0133E3F0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013563FF mov eax, dword ptr fs:[00000030h]	6_2_013563FF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]	6_2_013303E9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov ecx, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]	6_2_013CE3DB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]	6_2_013C43D4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]	6_2_013C43D4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DC3CD mov eax, dword ptr fs:[00000030h]	6_2_013DC3CD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0132A3C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]	6_2_013283C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A63C0 mov eax, dword ptr fs:[00000030h]	6_2_013A63C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131823B mov eax, dword ptr fs:[00000030h]	6_2_0131823B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]	6_2_013D0274
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]	6_2_01324260
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131826B mov eax, dword ptr fs:[00000030h]	6_2_0131826B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131A250 mov eax, dword ptr fs:[00000030h]	6_2_0131A250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F625D mov eax, dword ptr fs:[00000030h]	6_2_013F625D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326259 mov eax, dword ptr fs:[00000030h]	6_2_01326259
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]	6_2_013DA250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]	6_2_013DA250
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A8243 mov eax, dword ptr fs:[00000030h]	6_2_013A8243
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A8243 mov ecx, dword ptr fs:[00000030h]	6_2_013A8243
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]	6_2_013302A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]	6_2_013302A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov ecx, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]	6_2_013B62A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]	6_2_0135E284
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]	6_2_0135E284
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]	6_2_013A0283
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]	6_2_013302E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F62D6 mov eax, dword ptr fs:[00000030h]	6_2_013F62D6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0132A2C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]	6_2_01330535
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]	6_2_0134E53E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6500 mov eax, dword ptr fs:[00000030h]	6_2_013B6500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]	6_2_013F4500
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]	6_2_0135656A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]	6_2_01328550
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]	6_2_01328550
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]	6_2_013445B1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]	6_2_013445B1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]	6_2_013A05A7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E59C mov eax, dword ptr fs:[00000030h]	6_2_0135E59C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322582 mov eax, dword ptr fs:[00000030h]	6_2_01322582
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01322582 mov ecx, dword ptr fs:[00000030h]	6_2_01322582
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01354588 mov eax, dword ptr fs:[00000030h]	6_2_01354588
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013225E0 mov eax, dword ptr fs:[00000030h]	6_2_013225E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0134E5E7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]	6_2_0135C5ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]	6_2_0135C5ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013265D0 mov eax, dword ptr fs:[00000030h]	6_2_013265D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0135A5D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0135A5D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]	6_2_0135E5CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]	6_2_0135E5CF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]	6_2_0131E420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131C427 mov eax, dword ptr fs:[00000030h]	6_2_0131C427
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]	6_2_013A6420
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]	6_2_01358402
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]	6_2_0134A470
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC460 mov ecx, dword ptr fs:[00000030h]	6_2_013AC460
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA456 mov eax, dword ptr fs:[00000030h]	6_2_013DA456
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131645D mov eax, dword ptr fs:[00000030h]	6_2_0131645D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134245A mov eax, dword ptr fs:[00000030h]	6_2_0134245A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]	6_2_0135E443
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013544B0 mov ecx, dword ptr fs:[00000030h]	6_2_013544B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AA4B0 mov eax, dword ptr fs:[00000030h]	6_2_013AA4B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013264AB mov eax, dword ptr fs:[00000030h]	6_2_013264AB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013DA49A mov eax, dword ptr fs:[00000030h]	6_2_013DA49A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013204E5 mov ecx, dword ptr fs:[00000030h]	6_2_013204E5
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov ecx, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]	6_2_0135273C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139C730 mov eax, dword ptr fs:[00000030h]	6_2_0139C730
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]	6_2_0135C720
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]	6_2_0135C720
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320710 mov eax, dword ptr fs:[00000030h]	6_2_01320710
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350710 mov eax, dword ptr fs:[00000030h]	6_2_01350710
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C700 mov eax, dword ptr fs:[00000030h]	6_2_0135C700
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328770 mov eax, dword ptr fs:[00000030h]	6_2_01328770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]	6_2_01330770
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320750 mov eax, dword ptr fs:[00000030h]	6_2_01320750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]	6_2_01362750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]	6_2_01362750
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE75D mov eax, dword ptr fs:[00000030h]	6_2_013AE75D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A4755 mov eax, dword ptr fs:[00000030h]	6_2_013A4755
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov esi, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]	6_2_0135674D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013207AF mov eax, dword ptr fs:[00000030h]	6_2_013207AF
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D47A0 mov eax, dword ptr fs:[00000030h]	6_2_013D47A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C678E mov eax, dword ptr fs:[00000030h]	6_2_013C678E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]	6_2_013247FB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]	6_2_013247FB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]	6_2_013427ED
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE7E1 mov eax, dword ptr fs:[00000030h]	6_2_013AE7E1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0132C7C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A07C3 mov eax, dword ptr fs:[00000030h]	6_2_013A07C3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133E627 mov eax, dword ptr fs:[00000030h]	6_2_0133E627
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01356620 mov eax, dword ptr fs:[00000030h]	6_2_01356620
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358620 mov eax, dword ptr fs:[00000030h]	6_2_01358620
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132262C mov eax, dword ptr fs:[00000030h]	6_2_0132262C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01362619 mov eax, dword ptr fs:[00000030h]	6_2_01362619
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E609 mov eax, dword ptr fs:[00000030h]	6_2_0139E609
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]	6_2_0133260B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01352674 mov eax, dword ptr fs:[00000030h]	6_2_01352674
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]	6_2_013E866E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]	6_2_013E866E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]	6_2_0135A660
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]	6_2_0135A660
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0133C640 mov eax, dword ptr fs:[00000030h]	6_2_0133C640
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013566B0 mov eax, dword ptr fs:[00000030h]	6_2_013566B0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0135C6A6
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]	6_2_01324690
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]	6_2_01324690
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0139E6F2
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]	6_2_013A06F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]	6_2_013A06F1
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0135A6C7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0135A6C7
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A892A mov eax, dword ptr fs:[00000030h]	6_2_013A892A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B892B mov eax, dword ptr fs:[00000030h]	6_2_013B892B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC912 mov eax, dword ptr fs:[00000030h]	6_2_013AC912
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]	6_2_01318918
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]	6_2_01318918
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]	6_2_0139E908
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]	6_2_0139E908
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]	6_2_013C4978
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]	6_2_013C4978
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC97C mov eax, dword ptr fs:[00000030h]	6_2_013AC97C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]	6_2_01346962
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov edx, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]	6_2_0136096E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A0946 mov eax, dword ptr fs:[00000030h]	6_2_013A0946
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4940 mov eax, dword ptr fs:[00000030h]	6_2_013F4940
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov esi, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]	6_2_013A89B3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]	6_2_013329A0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]	6_2_013209AD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]	6_2_013209AD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]	6_2_013529F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]	6_2_013529F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE9E0 mov eax, dword ptr fs:[00000030h]	6_2_013AE9E0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0132A9D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013549D0 mov eax, dword ptr fs:[00000030h]	6_2_013549D0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA9D3 mov eax, dword ptr fs:[00000030h]	6_2_013EA9D3
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B69C0 mov eax, dword ptr fs:[00000030h]	6_2_013B69C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov ecx, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]	6_2_01342835
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135A830 mov eax, dword ptr fs:[00000030h]	6_2_0135A830
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]	6_2_013C483A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]	6_2_013C483A
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC810 mov eax, dword ptr fs:[00000030h]	6_2_013AC810
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]	6_2_013AE872
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]	6_2_013AE872
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]	6_2_013B6870
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]	6_2_013B6870
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01350854 mov eax, dword ptr fs:[00000030h]	6_2_01350854
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]	6_2_01324859
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]	6_2_01324859
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01332840 mov ecx, dword ptr fs:[00000030h]	6_2_01332840
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013AC89D mov eax, dword ptr fs:[00000030h]	6_2_013AC89D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320887 mov eax, dword ptr fs:[00000030h]	6_2_01320887
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0135C8F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0135C8F9
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EA8E4 mov eax, dword ptr fs:[00000030h]	6_2_013EA8E4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0134E8C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F08C0 mov eax, dword ptr fs:[00000030h]	6_2_013F08C0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]	6_2_0134EB20
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]	6_2_0134EB20
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]	6_2_013E8B28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]	6_2_013E8B28
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]	6_2_0139EB1D
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F4B00 mov eax, dword ptr fs:[00000030h]	6_2_013F4B00
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0131CB7E mov eax, dword ptr fs:[00000030h]	6_2_0131CB7E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01318B50 mov eax, dword ptr fs:[00000030h]	6_2_01318B50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]	6_2_013F2B57
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEB50 mov eax, dword ptr fs:[00000030h]	6_2_013CEB50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]	6_2_013D4B4B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]	6_2_013D4B4B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]	6_2_013B6B40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]	6_2_013B6B40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013EAB40 mov eax, dword ptr fs:[00000030h]	6_2_013EAB40
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013C8B42 mov eax, dword ptr fs:[00000030h]	6_2_013C8B42
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]	6_2_01330BBE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]	6_2_01330BBE
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]	6_2_013D4BB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]	6_2_013D4BB0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]	6_2_01328BF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EBFC mov eax, dword ptr fs:[00000030h]	6_2_0134EBFC
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ACBF0 mov eax, dword ptr fs:[00000030h]	6_2_013ACBF0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEBD0 mov eax, dword ptr fs:[00000030h]	6_2_013CEBD0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]	6_2_01340BCB
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]	6_2_01320BCD
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]	6_2_01344A35
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]	6_2_01344A35
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA24 mov eax, dword ptr fs:[00000030h]	6_2_0135CA24
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0134EA2E mov eax, dword ptr fs:[00000030h]	6_2_0134EA2E
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013ACA11 mov eax, dword ptr fs:[00000030h]	6_2_013ACA11
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]	6_2_0139CA72
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]	6_2_0139CA72
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]	6_2_0135CA6F
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_013CEA60 mov eax, dword ptr fs:[00000030h]	6_2_013CEA60
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]	6_2_01326A50
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]	6_2_01330A5B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]	6_2_01330A5B
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]	6_2_01328AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]	6_2_01328AA0
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01376AA4 mov eax, dword ptr fs:[00000030h]	6_2_01376AA4
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_01358A90 mov edx, dword ptr fs:[00000030h]	6_2_01358A90
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Code function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]	6_2_0132EA80

Enables debug privileges

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	NtClose: Indirect: 0x12CA56C
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	NtQueueApcThread: Indirect: 0x12CA4F2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	NtClose: Indirect: 0xD9A56C
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	NtQueueApcThread: Indirect: 0xD9A4F2

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Memory written: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Memory written: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 2580
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Thread register set: target process: 2580

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: B10000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: B30000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Process created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Process created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"

Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
z8eokahasflcrscooplasb.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

ID:	1544269
Product:	CloudBasic
Start time:	07:31:04
Start date:	29.10.2024
Sample:	z8eokahasflcrscooplasb.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1660c33123052f15e4e63891f23ddd1e
SHA1:	3b93eb0499260f494066d6a28f1238c1c440b04f
SHA256:	44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hmlPTospxjGJ.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z8eokahasflcrscooplasb.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	9FD1653F89C63CD3E067EF7508AA964D	CB3FFD37D9680F8610EFC94979E359651C2EE2EB	8F7DFF97B9E70918B70474AF53FC5B61DB6A5C06D708A6F0CB5533365F5E4228
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0y5qpgge.cea.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2elehaun.fi1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sdrgnhs.a3v.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ek0isiyk.gxo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp8D16.tmp	XML 1.0 document, ASCII text	157BFC3A891BD3FB7906AEF57C7F2B03	02B9688B66A02BDCEF32258D5DF9B75FB2E6471B	E6EE6580D9AFDE278A39E32F2B062083C486185466A6A638F9F531A433EE6890
C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp	XML 1.0 document, ASCII text	157BFC3A891BD3FB7906AEF57C7F2B03	02B9688B66A02BDCEF32258D5DF9B75FB2E6471B	E6EE6580D9AFDE278A39E32F2B062083C486185466A6A638F9F531A433EE6890
C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1660C33123052F15E4E63891F23DDD1E	3B93EB0499260F494066D6A28F1238C1C440B04F	44AB353624B9E867AE31A0523437ED8E321F361D248B471C15BD2902255280F3
C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report z8eokahasflcrscooplasb.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
z8eokahasflcrscooplasb.exe

Malware Threat Intel
Provided by