Windows Analysis Report
0GuwV0t2UU.exe

AI detected suspicious sample

Source: Yara match

File source: 00000006.00000002.3534624470.0000000000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 0GuwV0t2UU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.6:49983 version: TLS 1.2

Source: 0GuwV0t2UU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0GuwV0t2UU.exe, 00000006.00000003.3501913064.0000000037715000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000002.3561108031.00000000378C0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3499817992.000000003756B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0GuwV0t2UU.exe, 0GuwV0t2UU.exe, 00000006.00000003.3501913064.0000000037715000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000002.3561108031.00000000378C0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3499817992.000000003756B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_004069FF FindFirstFileW,FindClose,	0_2_004069FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405DAE

Source: Joe Sandbox View

IP Address: 193.107.36.30 193.107.36.30

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49746
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49934

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /escDKcLKdKFF2.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: alfacen.com

Source: 0GuwV0t2UU.exe, 00000000.00000000.2116328758.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000000.00000002.3135422638.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000006.00000000.3132180633.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 0GuwV0t2UU.exe, 00000006.00000002.3541181900.0000000007813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/
Source: 0GuwV0t2UU.exe, 00000006.00000002.3541181900.0000000007813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/&K
Source: 0GuwV0t2UU.exe, 00000006.00000002.3541241912.0000000007829000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3500358754.0000000007827000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000002.3541090682.0000000007730000.00000004.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3500504716.0000000007827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/escDKcLKdKFF2.bin
Source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.6:49983 version: TLS 1.2

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00405866 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405866

E-Banking Fraud

Source: Yara match

File source: 00000006.00000002.3534624470.0000000000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379335C0 NtCreateMutant,LdrInitializeThunk,	6_2_379335C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_37932DF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37933090 NtSetValueKey,	6_2_37933090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37933010 NtOpenDirectoryObject,	6_2_37933010
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37933D10 NtOpenProcessToken,	6_2_37933D10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37933D70 NtOpenThread,	6_2_37933D70
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379339B0 NtGetContextThread,	6_2_379339B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37934650 NtSuspendThread,	6_2_37934650
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37934340 NtSetContextThread,	6_2_37934340
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932F90 NtProtectVirtualMemory,	6_2_37932F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932FB0 NtResumeThread,	6_2_37932FB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932FA0 NtQuerySection,	6_2_37932FA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932FE0 NtCreateFile,	6_2_37932FE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932F30 NtCreateSection,	6_2_37932F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932F60 NtCreateProcessEx,	6_2_37932F60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932E80 NtReadVirtualMemory,	6_2_37932E80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932EA0 NtAdjustPrivilegesToken,	6_2_37932EA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932EE0 NtQueueApcThread,	6_2_37932EE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932E30 NtWriteVirtualMemory,	6_2_37932E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932DB0 NtEnumerateKey,	6_2_37932DB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932DD0 NtDelayExecution,	6_2_37932DD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932D10 NtMapViewOfSection,	6_2_37932D10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932D00 NtSetInformationFile,	6_2_37932D00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932D30 NtUnmapViewOfSection,	6_2_37932D30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932CA0 NtQueryInformationToken,	6_2_37932CA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932CC0 NtQueryVirtualMemory,	6_2_37932CC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932CF0 NtOpenProcess,	6_2_37932CF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932C00 NtQueryInformationProcess,	6_2_37932C00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932C70 NtFreeVirtualMemory,	6_2_37932C70
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932C60 NtCreateKey,	6_2_37932C60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932B80 NtQueryInformationFile,	6_2_37932B80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932BA0 NtEnumerateValueKey,	6_2_37932BA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932BF0 NtAllocateVirtualMemory,	6_2_37932BF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932BE0 NtQueryValueKey,	6_2_37932BE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932B60 NtClose,	6_2_37932B60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932AB0 NtWaitForSingleObject,	6_2_37932AB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932AD0 NtReadFile,	6_2_37932AD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37932AF0 NtWriteFile,	6_2_37932AF0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403665

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Windows\resources\0809

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00406DC0	0_2_00406DC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_738B1BFF	0_2_738B1BFF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BF7B0	6_2_379BF7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B16CC	6_2_379B16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799D5B0	6_2_3799D5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B7571	6_2_379B7571
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BF43F	6_2_379BF43F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3794739A	6_2_3794739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B132D	6_2_379B132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED34C	6_2_378ED34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379052A0	6_2_379052A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790B1B0	6_2_3790B1B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CB16B	6_2_379CB16B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3793516C	6_2_3793516C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF0CC	6_2_379AF0CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B70E9	6_2_379B70E9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BF0E0	6_2_379BF0E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BFFB1	6_2_379BFFB1
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378C3FD5	6_2_378C3FD5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378C3FD2	6_2_378C3FD2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BFF09	6_2_379BFF09
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37909EB0	6_2_37909EB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791FDC0	6_2_3791FDC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B1D5A	6_2_379B1D5A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37903D40	6_2_37903D40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B7D73	6_2_379B7D73
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BFCF2	6_2_379BFCF2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37979C32	6_2_37979C32
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791FB80	6_2_3791FB80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37975BF0	6_2_37975BF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3793DBF9	6_2_3793DBF9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BFB76	6_2_379BFB76
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37945AA0	6_2_37945AA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DAAC	6_2_3799DAAC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A1AA3	6_2_379A1AA3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ADAC6	6_2_379ADAC6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BFA49	6_2_379BFA49
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B7A46	6_2_379B7A46
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37973A6C	6_2_37973A6C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37995910	6_2_37995910
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37909950	6_2_37909950
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B950	6_2_3791B950
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379038E0	6_2_379038E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D800	6_2_3796D800
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FC7C0	6_2_378FC7C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37924750	6_2_37924750
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37900770	6_2_37900770
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791C6E0	6_2_3791C6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C0591	6_2_379C0591
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37900535	6_2_37900535
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AE4F6	6_2_379AE4F6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A4420	6_2_379A4420
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B2446	6_2_379B2446
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790E3F0	6_2_3790E3F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C03E6	6_2_379C03E6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BA352	6_2_379BA352
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379802C0	6_2_379802C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A0274	6_2_379A0274
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C01AA	6_2_379C01AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B41A2	6_2_379B41A2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B81CC	6_2_379B81CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799A118	6_2_3799A118
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F0100	6_2_378F0100
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37988158	6_2_37988158
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37992000	6_2_37992000
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797EFA0	6_2_3797EFA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F2FC8	6_2_378F2FC8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790CFE0	6_2_3790CFE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37920F30	6_2_37920F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A2F30	6_2_379A2F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37942F28	6_2_37942F28
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37974F40	6_2_37974F40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37912E90	6_2_37912E90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BCE93	6_2_379BCE93
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BEEDB	6_2_379BEEDB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BEE26	6_2_379BEE26
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37900E59	6_2_37900E59
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37918DBF	6_2_37918DBF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FADE0	6_2_378FADE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799CD1F	6_2_3799CD1F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790AD00	6_2_3790AD00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A0CB5	6_2_379A0CB5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F0CF2	6_2_378F0CF2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37900C00	6_2_37900C00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B6BD7	6_2_379B6BD7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BAB40	6_2_379BAB40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FEA80	6_2_378FEA80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379029A0	6_2_379029A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CA9A6	6_2_379CA9A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37916962	6_2_37916962
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E68B8	6_2_378E68B8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792E8F0	6_2_3792E8F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790A840	6_2_3790A840
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37902840	6_2_37902840

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 37935130 appears 58 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 3796EA12 appears 86 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 37947E54 appears 102 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 378EB970 appears 280 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 3797F290 appears 105 times

Source: 0GuwV0t2UU.exe

Static PE information: invalid certificate

Source: 0GuwV0t2UU.exe, 00000006.00000003.3499817992.000000003768E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0GuwV0t2UU.exe
Source: 0GuwV0t2UU.exe, 00000006.00000002.3561108031.00000000379ED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0GuwV0t2UU.exe
Source: 0GuwV0t2UU.exe, 00000006.00000003.3501913064.0000000037842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0GuwV0t2UU.exe

Source: 0GuwV0t2UU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

0_2_00403665

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00404B12 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404B12

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\fllesskabsejede

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\AppData\Local\Temp\nsxBCAD.tmp

Source: 0GuwV0t2UU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 0GuwV0t2UU.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File read: C:\Users\user\Desktop\0GuwV0t2UU.exe

Source: unknown	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Switches to a custom stack to bypass stack traces

Source: 0GuwV0t2UU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0GuwV0t2UU.exe, 00000006.00000003.3501913064.0000000037715000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000002.3561108031.00000000378C0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3499817992.000000003756B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0GuwV0t2UU.exe, 0GuwV0t2UU.exe, 00000006.00000003.3501913064.0000000037715000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000002.3561108031.00000000378C0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3499817992.000000003756B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3136688190.00000000049AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_738B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_738B1BFF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_738B30C0 push eax; ret	0_2_738B30EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378C27FA pushad ; ret	6_2_378C27F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378C225F pushad ; ret	6_2_378C27F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F09AD push ecx; mov dword ptr [esp], ecx	6_2_378F09B6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378C283D push eax; iretd	6_2_378C2858

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\AppData\Local\Temp\nsiBDD8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API/Special instruction interceptor: Address: 4C6D03F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API/Special instruction interceptor: Address: 2DFD03F

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	RDTSC instruction interceptor: First address: 4C2BA61 second address: 4C2BA61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F09C4E04E97h 0x00000006 cmp bl, FFFFFF9Fh 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	RDTSC instruction interceptor: First address: 2DBBA61 second address: 2DBBA61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F09C50BED97h 0x00000006 cmp bl, FFFFFF9Fh 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 6_2_3796D1C0 rdtsc

6_2_3796D1C0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiBDD8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

API coverage: 0.1 %

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe TID: 2032

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_004069FF FindFirstFileW,FindClose,	0_2_004069FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405DAE

Source: 0GuwV0t2UU.exe, 00000006.00000002.3541241912.000000000783D000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3500358754.000000000783D000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000006.00000003.3500504716.000000000783D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API call chain: ExitProcess graph end node			graph_0-4524
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API call chain: ExitProcess graph end node			graph_0-4521

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 6_2_3796D1C0 rdtsc

6_2_3796D1C0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 6_2_379335C0 NtCreateMutant,LdrInitializeThunk,

6_2_379335C0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_738B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_738B1BFF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF78A mov eax, dword ptr fs:[00000030h]	6_2_379AF78A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791D7B0 mov eax, dword ptr fs:[00000030h]	6_2_3791D7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C37B6 mov eax, dword ptr fs:[00000030h]	6_2_379C37B6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AD7B0 mov eax, dword ptr fs:[00000030h]	6_2_379AD7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AD7B0 mov eax, dword ptr fs:[00000030h]	6_2_379AD7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF7BA mov eax, dword ptr fs:[00000030h]	6_2_378EF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797F7AF mov eax, dword ptr fs:[00000030h]	6_2_3797F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797F7AF mov eax, dword ptr fs:[00000030h]	6_2_3797F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797F7AF mov eax, dword ptr fs:[00000030h]	6_2_3797F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797F7AF mov eax, dword ptr fs:[00000030h]	6_2_3797F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797F7AF mov eax, dword ptr fs:[00000030h]	6_2_3797F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379797A9 mov eax, dword ptr fs:[00000030h]	6_2_379797A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F57C0 mov eax, dword ptr fs:[00000030h]	6_2_378F57C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F57C0 mov eax, dword ptr fs:[00000030h]	6_2_378F57C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F57C0 mov eax, dword ptr fs:[00000030h]	6_2_378F57C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD7E0 mov ecx, dword ptr fs:[00000030h]	6_2_378FD7E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7703 mov eax, dword ptr fs:[00000030h]	6_2_378F7703
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F5702 mov eax, dword ptr fs:[00000030h]	6_2_378F5702
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F5702 mov eax, dword ptr fs:[00000030h]	6_2_378F5702
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792F71F mov eax, dword ptr fs:[00000030h]	6_2_3792F71F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792F71F mov eax, dword ptr fs:[00000030h]	6_2_3792F71F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CB73C mov eax, dword ptr fs:[00000030h]	6_2_379CB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CB73C mov eax, dword ptr fs:[00000030h]	6_2_379CB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CB73C mov eax, dword ptr fs:[00000030h]	6_2_379CB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379CB73C mov eax, dword ptr fs:[00000030h]	6_2_379CB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37925734 mov eax, dword ptr fs:[00000030h]	6_2_37925734
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3720 mov eax, dword ptr fs:[00000030h]	6_2_378F3720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F720 mov eax, dword ptr fs:[00000030h]	6_2_3790F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F720 mov eax, dword ptr fs:[00000030h]	6_2_3790F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F720 mov eax, dword ptr fs:[00000030h]	6_2_3790F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B972B mov eax, dword ptr fs:[00000030h]	6_2_379B972B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF72E mov eax, dword ptr fs:[00000030h]	6_2_379AF72E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F973A mov eax, dword ptr fs:[00000030h]	6_2_378F973A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F973A mov eax, dword ptr fs:[00000030h]	6_2_378F973A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9730 mov eax, dword ptr fs:[00000030h]	6_2_378E9730
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9730 mov eax, dword ptr fs:[00000030h]	6_2_378E9730
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799375F mov eax, dword ptr fs:[00000030h]	6_2_3799375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799375F mov eax, dword ptr fs:[00000030h]	6_2_3799375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799375F mov eax, dword ptr fs:[00000030h]	6_2_3799375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799375F mov eax, dword ptr fs:[00000030h]	6_2_3799375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799375F mov eax, dword ptr fs:[00000030h]	6_2_3799375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37903740 mov eax, dword ptr fs:[00000030h]	6_2_37903740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37903740 mov eax, dword ptr fs:[00000030h]	6_2_37903740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37903740 mov eax, dword ptr fs:[00000030h]	6_2_37903740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C3749 mov eax, dword ptr fs:[00000030h]	6_2_379C3749
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB765 mov eax, dword ptr fs:[00000030h]	6_2_378EB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB765 mov eax, dword ptr fs:[00000030h]	6_2_378EB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB765 mov eax, dword ptr fs:[00000030h]	6_2_378EB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB765 mov eax, dword ptr fs:[00000030h]	6_2_378EB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797368C mov eax, dword ptr fs:[00000030h]	6_2_3797368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797368C mov eax, dword ptr fs:[00000030h]	6_2_3797368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797368C mov eax, dword ptr fs:[00000030h]	6_2_3797368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797368C mov eax, dword ptr fs:[00000030h]	6_2_3797368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED6AA mov eax, dword ptr fs:[00000030h]	6_2_378ED6AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED6AA mov eax, dword ptr fs:[00000030h]	6_2_378ED6AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E76B2 mov eax, dword ptr fs:[00000030h]	6_2_378E76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E76B2 mov eax, dword ptr fs:[00000030h]	6_2_378E76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E76B2 mov eax, dword ptr fs:[00000030h]	6_2_378E76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB6C0 mov eax, dword ptr fs:[00000030h]	6_2_378FB6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B16CC mov eax, dword ptr fs:[00000030h]	6_2_379B16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B16CC mov eax, dword ptr fs:[00000030h]	6_2_379B16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B16CC mov eax, dword ptr fs:[00000030h]	6_2_379B16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B16CC mov eax, dword ptr fs:[00000030h]	6_2_379B16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF6C7 mov eax, dword ptr fs:[00000030h]	6_2_379AF6C7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379216CF mov eax, dword ptr fs:[00000030h]	6_2_379216CF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AD6F0 mov eax, dword ptr fs:[00000030h]	6_2_379AD6F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791D6E0 mov eax, dword ptr fs:[00000030h]	6_2_3791D6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791D6E0 mov eax, dword ptr fs:[00000030h]	6_2_3791D6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379836EE mov eax, dword ptr fs:[00000030h]	6_2_379836EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379236EF mov eax, dword ptr fs:[00000030h]	6_2_379236EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792F603 mov eax, dword ptr fs:[00000030h]	6_2_3792F603
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37921607 mov eax, dword ptr fs:[00000030h]	6_2_37921607
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3616 mov eax, dword ptr fs:[00000030h]	6_2_378F3616
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3616 mov eax, dword ptr fs:[00000030h]	6_2_378F3616
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF626 mov eax, dword ptr fs:[00000030h]	6_2_378EF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5636 mov eax, dword ptr fs:[00000030h]	6_2_379C5636
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37929660 mov eax, dword ptr fs:[00000030h]	6_2_37929660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37929660 mov eax, dword ptr fs:[00000030h]	6_2_37929660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3798D660 mov eax, dword ptr fs:[00000030h]	6_2_3798D660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E758F mov eax, dword ptr fs:[00000030h]	6_2_378E758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E758F mov eax, dword ptr fs:[00000030h]	6_2_378E758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E758F mov eax, dword ptr fs:[00000030h]	6_2_378E758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797B594 mov eax, dword ptr fs:[00000030h]	6_2_3797B594
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797B594 mov eax, dword ptr fs:[00000030h]	6_2_3797B594
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3791F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379835BA mov eax, dword ptr fs:[00000030h]	6_2_379835BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379835BA mov eax, dword ptr fs:[00000030h]	6_2_379835BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379835BA mov eax, dword ptr fs:[00000030h]	6_2_379835BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379835BA mov eax, dword ptr fs:[00000030h]	6_2_379835BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF5BE mov eax, dword ptr fs:[00000030h]	6_2_379AF5BE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3798D5B0 mov eax, dword ptr fs:[00000030h]	6_2_3798D5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3798D5B0 mov eax, dword ptr fs:[00000030h]	6_2_3798D5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115A9 mov eax, dword ptr fs:[00000030h]	6_2_379115A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115A9 mov eax, dword ptr fs:[00000030h]	6_2_379115A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115A9 mov eax, dword ptr fs:[00000030h]	6_2_379115A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115A9 mov eax, dword ptr fs:[00000030h]	6_2_379115A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115A9 mov eax, dword ptr fs:[00000030h]	6_2_379115A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D5D0 mov eax, dword ptr fs:[00000030h]	6_2_3796D5D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D5D0 mov ecx, dword ptr fs:[00000030h]	6_2_3796D5D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C35D7 mov eax, dword ptr fs:[00000030h]	6_2_379C35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C35D7 mov eax, dword ptr fs:[00000030h]	6_2_379C35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C35D7 mov eax, dword ptr fs:[00000030h]	6_2_379C35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379195DA mov eax, dword ptr fs:[00000030h]	6_2_379195DA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379255C0 mov eax, dword ptr fs:[00000030h]	6_2_379255C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C55C9 mov eax, dword ptr fs:[00000030h]	6_2_379C55C9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379115F4 mov eax, dword ptr fs:[00000030h]	6_2_379115F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37927505 mov eax, dword ptr fs:[00000030h]	6_2_37927505
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37927505 mov ecx, dword ptr fs:[00000030h]	6_2_37927505
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792D530 mov eax, dword ptr fs:[00000030h]	6_2_3792D530
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792D530 mov eax, dword ptr fs:[00000030h]	6_2_3792D530
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5537 mov eax, dword ptr fs:[00000030h]	6_2_379C5537
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AB52F mov eax, dword ptr fs:[00000030h]	6_2_379AB52F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FD534 mov eax, dword ptr fs:[00000030h]	6_2_378FD534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799F525 mov eax, dword ptr fs:[00000030h]	6_2_3799F525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B550 mov eax, dword ptr fs:[00000030h]	6_2_3799B550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B550 mov eax, dword ptr fs:[00000030h]	6_2_3799B550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B550 mov eax, dword ptr fs:[00000030h]	6_2_3799B550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792B570 mov eax, dword ptr fs:[00000030h]	6_2_3792B570
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792B570 mov eax, dword ptr fs:[00000030h]	6_2_3792B570
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB562 mov eax, dword ptr fs:[00000030h]	6_2_378EB562
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F9486 mov eax, dword ptr fs:[00000030h]	6_2_378F9486
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F9486 mov eax, dword ptr fs:[00000030h]	6_2_378F9486
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB480 mov eax, dword ptr fs:[00000030h]	6_2_378EB480
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379234B0 mov eax, dword ptr fs:[00000030h]	6_2_379234B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E74B0 mov eax, dword ptr fs:[00000030h]	6_2_378E74B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E74B0 mov eax, dword ptr fs:[00000030h]	6_2_378E74B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C54DB mov eax, dword ptr fs:[00000030h]	6_2_379C54DB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379994E0 mov eax, dword ptr fs:[00000030h]	6_2_379994E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37977410 mov eax, dword ptr fs:[00000030h]	6_2_37977410
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791340D mov eax, dword ptr fs:[00000030h]	6_2_3791340D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF453 mov eax, dword ptr fs:[00000030h]	6_2_379AF453
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B450 mov eax, dword ptr fs:[00000030h]	6_2_3799B450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B450 mov eax, dword ptr fs:[00000030h]	6_2_3799B450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B450 mov eax, dword ptr fs:[00000030h]	6_2_3799B450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B450 mov eax, dword ptr fs:[00000030h]	6_2_3799B450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FB440 mov eax, dword ptr fs:[00000030h]	6_2_378FB440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C547F mov eax, dword ptr fs:[00000030h]	6_2_379C547F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460 mov eax, dword ptr fs:[00000030h]	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460 mov eax, dword ptr fs:[00000030h]	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460 mov eax, dword ptr fs:[00000030h]	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460 mov eax, dword ptr fs:[00000030h]	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1460 mov eax, dword ptr fs:[00000030h]	6_2_378F1460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790F460 mov eax, dword ptr fs:[00000030h]	6_2_3790F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C539D mov eax, dword ptr fs:[00000030h]	6_2_379C539D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3794739A mov eax, dword ptr fs:[00000030h]	6_2_3794739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3794739A mov eax, dword ptr fs:[00000030h]	6_2_3794739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379913B9 mov eax, dword ptr fs:[00000030h]	6_2_379913B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379913B9 mov eax, dword ptr fs:[00000030h]	6_2_379913B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379913B9 mov eax, dword ptr fs:[00000030h]	6_2_379913B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379233A0 mov eax, dword ptr fs:[00000030h]	6_2_379233A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379233A0 mov eax, dword ptr fs:[00000030h]	6_2_379233A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379133A5 mov eax, dword ptr fs:[00000030h]	6_2_379133A5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AB3D0 mov ecx, dword ptr fs:[00000030h]	6_2_379AB3D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C53FC mov eax, dword ptr fs:[00000030h]	6_2_379C53FC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF3E6 mov eax, dword ptr fs:[00000030h]	6_2_379AF3E6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797930B mov eax, dword ptr fs:[00000030h]	6_2_3797930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797930B mov eax, dword ptr fs:[00000030h]	6_2_3797930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797930B mov eax, dword ptr fs:[00000030h]	6_2_3797930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B132D mov eax, dword ptr fs:[00000030h]	6_2_379B132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B132D mov eax, dword ptr fs:[00000030h]	6_2_379B132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F32A mov eax, dword ptr fs:[00000030h]	6_2_3791F32A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E7330 mov eax, dword ptr fs:[00000030h]	6_2_378E7330
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED34C mov eax, dword ptr fs:[00000030h]	6_2_378ED34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED34C mov eax, dword ptr fs:[00000030h]	6_2_378ED34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5341 mov eax, dword ptr fs:[00000030h]	6_2_379C5341
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9353 mov eax, dword ptr fs:[00000030h]	6_2_378E9353
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9353 mov eax, dword ptr fs:[00000030h]	6_2_378E9353
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37993370 mov eax, dword ptr fs:[00000030h]	6_2_37993370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF367 mov eax, dword ptr fs:[00000030h]	6_2_379AF367
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7370 mov eax, dword ptr fs:[00000030h]	6_2_378F7370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7370 mov eax, dword ptr fs:[00000030h]	6_2_378F7370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7370 mov eax, dword ptr fs:[00000030h]	6_2_378F7370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792329E mov eax, dword ptr fs:[00000030h]	6_2_3792329E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792329E mov eax, dword ptr fs:[00000030h]	6_2_3792329E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5283 mov eax, dword ptr fs:[00000030h]	6_2_379C5283
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379792BC mov eax, dword ptr fs:[00000030h]	6_2_379792BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379792BC mov eax, dword ptr fs:[00000030h]	6_2_379792BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379792BC mov ecx, dword ptr fs:[00000030h]	6_2_379792BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379792BC mov ecx, dword ptr fs:[00000030h]	6_2_379792BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379052A0 mov eax, dword ptr fs:[00000030h]	6_2_379052A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379052A0 mov eax, dword ptr fs:[00000030h]	6_2_379052A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379052A0 mov eax, dword ptr fs:[00000030h]	6_2_379052A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379052A0 mov eax, dword ptr fs:[00000030h]	6_2_379052A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379872A0 mov eax, dword ptr fs:[00000030h]	6_2_379872A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379872A0 mov eax, dword ptr fs:[00000030h]	6_2_379872A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B92A6 mov eax, dword ptr fs:[00000030h]	6_2_379B92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B92A6 mov eax, dword ptr fs:[00000030h]	6_2_379B92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B92A6 mov eax, dword ptr fs:[00000030h]	6_2_379B92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B92A6 mov eax, dword ptr fs:[00000030h]	6_2_379B92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F2D0 mov eax, dword ptr fs:[00000030h]	6_2_3791F2D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791F2D0 mov eax, dword ptr fs:[00000030h]	6_2_3791F2D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F92C5 mov eax, dword ptr fs:[00000030h]	6_2_378F92C5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F92C5 mov eax, dword ptr fs:[00000030h]	6_2_378F92C5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B2C0 mov eax, dword ptr fs:[00000030h]	6_2_3791B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_378EB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_378EB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_378EB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AF2F8 mov eax, dword ptr fs:[00000030h]	6_2_379AF2F8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B2F0 mov eax, dword ptr fs:[00000030h]	6_2_3799B2F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799B2F0 mov eax, dword ptr fs:[00000030h]	6_2_3799B2F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E92FF mov eax, dword ptr fs:[00000030h]	6_2_378E92FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A12ED mov eax, dword ptr fs:[00000030h]	6_2_379A12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C52E2 mov eax, dword ptr fs:[00000030h]	6_2_379C52E2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37927208 mov eax, dword ptr fs:[00000030h]	6_2_37927208
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37927208 mov eax, dword ptr fs:[00000030h]	6_2_37927208
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5227 mov eax, dword ptr fs:[00000030h]	6_2_379C5227
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797D250 mov ecx, dword ptr fs:[00000030h]	6_2_3797D250
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AB256 mov eax, dword ptr fs:[00000030h]	6_2_379AB256
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379AB256 mov eax, dword ptr fs:[00000030h]	6_2_379AB256
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9240 mov eax, dword ptr fs:[00000030h]	6_2_378E9240
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9240 mov eax, dword ptr fs:[00000030h]	6_2_378E9240
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792724D mov eax, dword ptr fs:[00000030h]	6_2_3792724D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37931270 mov eax, dword ptr fs:[00000030h]	6_2_37931270
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37931270 mov eax, dword ptr fs:[00000030h]	6_2_37931270
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37919274 mov eax, dword ptr fs:[00000030h]	6_2_37919274
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BD26B mov eax, dword ptr fs:[00000030h]	6_2_379BD26B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BD26B mov eax, dword ptr fs:[00000030h]	6_2_379BD26B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37947190 mov eax, dword ptr fs:[00000030h]	6_2_37947190
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A5180 mov eax, dword ptr fs:[00000030h]	6_2_379A5180
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A5180 mov eax, dword ptr fs:[00000030h]	6_2_379A5180
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790B1B0 mov eax, dword ptr fs:[00000030h]	6_2_3790B1B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A11A4 mov eax, dword ptr fs:[00000030h]	6_2_379A11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A11A4 mov eax, dword ptr fs:[00000030h]	6_2_379A11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A11A4 mov eax, dword ptr fs:[00000030h]	6_2_379A11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A11A4 mov eax, dword ptr fs:[00000030h]	6_2_379A11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792D1D0 mov eax, dword ptr fs:[00000030h]	6_2_3792D1D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_3792D1D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C51CB mov eax, dword ptr fs:[00000030h]	6_2_379C51CB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379971F9 mov esi, dword ptr fs:[00000030h]	6_2_379971F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F51ED mov eax, dword ptr fs:[00000030h]	6_2_378F51ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379151EF mov eax, dword ptr fs:[00000030h]	6_2_379151EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB136 mov eax, dword ptr fs:[00000030h]	6_2_378EB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB136 mov eax, dword ptr fs:[00000030h]	6_2_378EB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB136 mov eax, dword ptr fs:[00000030h]	6_2_378EB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EB136 mov eax, dword ptr fs:[00000030h]	6_2_378EB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1131 mov eax, dword ptr fs:[00000030h]	6_2_378F1131
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1131 mov eax, dword ptr fs:[00000030h]	6_2_378F1131
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9148 mov eax, dword ptr fs:[00000030h]	6_2_378E9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9148 mov eax, dword ptr fs:[00000030h]	6_2_378E9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9148 mov eax, dword ptr fs:[00000030h]	6_2_378E9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378E9148 mov eax, dword ptr fs:[00000030h]	6_2_378E9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5152 mov eax, dword ptr fs:[00000030h]	6_2_379C5152
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37983140 mov eax, dword ptr fs:[00000030h]	6_2_37983140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37983140 mov eax, dword ptr fs:[00000030h]	6_2_37983140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37983140 mov eax, dword ptr fs:[00000030h]	6_2_37983140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7152 mov eax, dword ptr fs:[00000030h]	6_2_378F7152
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37989179 mov eax, dword ptr fs:[00000030h]	6_2_37989179
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EF172 mov eax, dword ptr fs:[00000030h]	6_2_378EF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791D090 mov eax, dword ptr fs:[00000030h]	6_2_3791D090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791D090 mov eax, dword ptr fs:[00000030h]	6_2_3791D090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378ED08D mov eax, dword ptr fs:[00000030h]	6_2_378ED08D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792909C mov eax, dword ptr fs:[00000030h]	6_2_3792909C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797D080 mov eax, dword ptr fs:[00000030h]	6_2_3797D080
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797D080 mov eax, dword ptr fs:[00000030h]	6_2_3797D080
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F5096 mov eax, dword ptr fs:[00000030h]	6_2_378F5096
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C50D9 mov eax, dword ptr fs:[00000030h]	6_2_379C50D9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379190DB mov eax, dword ptr fs:[00000030h]	6_2_379190DB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov ecx, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov ecx, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov ecx, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov ecx, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379070C0 mov eax, dword ptr fs:[00000030h]	6_2_379070C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D0C0 mov eax, dword ptr fs:[00000030h]	6_2_3796D0C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D0C0 mov eax, dword ptr fs:[00000030h]	6_2_3796D0C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379150E4 mov eax, dword ptr fs:[00000030h]	6_2_379150E4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379150E4 mov ecx, dword ptr fs:[00000030h]	6_2_379150E4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B903E mov eax, dword ptr fs:[00000030h]	6_2_379B903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B903E mov eax, dword ptr fs:[00000030h]	6_2_379B903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B903E mov eax, dword ptr fs:[00000030h]	6_2_379B903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379B903E mov eax, dword ptr fs:[00000030h]	6_2_379B903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791B052 mov eax, dword ptr fs:[00000030h]	6_2_3791B052
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799705E mov ebx, dword ptr fs:[00000030h]	6_2_3799705E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799705E mov eax, dword ptr fs:[00000030h]	6_2_3799705E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov ecx, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901070 mov eax, dword ptr fs:[00000030h]	6_2_37901070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796D070 mov ecx, dword ptr fs:[00000030h]	6_2_3796D070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797106E mov eax, dword ptr fs:[00000030h]	6_2_3797106E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379C5060 mov eax, dword ptr fs:[00000030h]	6_2_379C5060
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov eax, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov eax, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov eax, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov ecx, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37901F92 mov eax, dword ptr fs:[00000030h]	6_2_37901F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37993F90 mov eax, dword ptr fs:[00000030h]	6_2_37993F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37993F90 mov eax, dword ptr fs:[00000030h]	6_2_37993F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EFF90 mov edi, dword ptr fs:[00000030h]	6_2_378EFF90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BFB0 mov eax, dword ptr fs:[00000030h]	6_2_3792BFB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37931FB8 mov eax, dword ptr fs:[00000030h]	6_2_37931FB8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37973FD7 mov eax, dword ptr fs:[00000030h]	6_2_37973FD7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3FC2 mov eax, dword ptr fs:[00000030h]	6_2_378F3FC2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ABFC0 mov ecx, dword ptr fs:[00000030h]	6_2_379ABFC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ABFC0 mov eax, dword ptr fs:[00000030h]	6_2_379ABFC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EBFD0 mov eax, dword ptr fs:[00000030h]	6_2_378EBFD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37921FCD mov eax, dword ptr fs:[00000030h]	6_2_37921FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37921FCD mov eax, dword ptr fs:[00000030h]	6_2_37921FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37921FCD mov eax, dword ptr fs:[00000030h]	6_2_37921FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BFEC mov eax, dword ptr fs:[00000030h]	6_2_3792BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BFEC mov eax, dword ptr fs:[00000030h]	6_2_3792BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BFEC mov eax, dword ptr fs:[00000030h]	6_2_3792BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37971F13 mov eax, dword ptr fs:[00000030h]	6_2_37971F13
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797DF10 mov eax, dword ptr fs:[00000030h]	6_2_3797DF10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37997F3E mov eax, dword ptr fs:[00000030h]	6_2_37997F3E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ADF2F mov eax, dword ptr fs:[00000030h]	6_2_379ADF2F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37927F51 mov eax, dword ptr fs:[00000030h]	6_2_37927F51
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3796FF42 mov eax, dword ptr fs:[00000030h]	6_2_3796FF42
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1F50 mov eax, dword ptr fs:[00000030h]	6_2_378F1F50
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791BF60 mov eax, dword ptr fs:[00000030h]	6_2_3791BF60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797DE9B mov eax, dword ptr fs:[00000030h]	6_2_3797DE9B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F7E96 mov eax, dword ptr fs:[00000030h]	6_2_378F7E96
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37923E8F mov eax, dword ptr fs:[00000030h]	6_2_37923E8F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DEB0 mov eax, dword ptr fs:[00000030h]	6_2_3799DEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DEB0 mov ecx, dword ptr fs:[00000030h]	6_2_3799DEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DEB0 mov eax, dword ptr fs:[00000030h]	6_2_3799DEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DEB0 mov eax, dword ptr fs:[00000030h]	6_2_3799DEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3799DEB0 mov eax, dword ptr fs:[00000030h]	6_2_3799DEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ADEB0 mov eax, dword ptr fs:[00000030h]	6_2_379ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EDEA5 mov eax, dword ptr fs:[00000030h]	6_2_378EDEA5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EDEA5 mov ecx, dword ptr fs:[00000030h]	6_2_378EDEA5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EFEA0 mov eax, dword ptr fs:[00000030h]	6_2_378EFEA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797DEAA mov eax, dword ptr fs:[00000030h]	6_2_3797DEAA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A9EDF mov eax, dword ptr fs:[00000030h]	6_2_379A9EDF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379A9EDF mov eax, dword ptr fs:[00000030h]	6_2_379A9EDF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378EBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378EBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378FBEC0 mov eax, dword ptr fs:[00000030h]	6_2_378FBEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3791FEC0 mov eax, dword ptr fs:[00000030h]	6_2_3791FEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3797FEC5 mov eax, dword ptr fs:[00000030h]	6_2_3797FEC5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3EE1 mov eax, dword ptr fs:[00000030h]	6_2_378F3EE1
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37923EEB mov ecx, dword ptr fs:[00000030h]	6_2_37923EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37923EEB mov eax, dword ptr fs:[00000030h]	6_2_37923EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37923EEB mov eax, dword ptr fs:[00000030h]	6_2_37923EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3EF4 mov eax, dword ptr fs:[00000030h]	6_2_378F3EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3EF4 mov eax, dword ptr fs:[00000030h]	6_2_378F3EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F3EF4 mov eax, dword ptr fs:[00000030h]	6_2_378F3EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BBEE6 mov eax, dword ptr fs:[00000030h]	6_2_379BBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BBEE6 mov eax, dword ptr fs:[00000030h]	6_2_379BBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BBEE6 mov eax, dword ptr fs:[00000030h]	6_2_379BBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379BBEE6 mov eax, dword ptr fs:[00000030h]	6_2_379BBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BE17 mov eax, dword ptr fs:[00000030h]	6_2_3792BE17
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EDE10 mov eax, dword ptr fs:[00000030h]	6_2_378EDE10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790DE2D mov eax, dword ptr fs:[00000030h]	6_2_3790DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790DE2D mov eax, dword ptr fs:[00000030h]	6_2_3790DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3790DE2D mov eax, dword ptr fs:[00000030h]	6_2_3790DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1E30 mov eax, dword ptr fs:[00000030h]	6_2_378F1E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378F1E30 mov eax, dword ptr fs:[00000030h]	6_2_378F1E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BE51 mov eax, dword ptr fs:[00000030h]	6_2_3792BE51
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_3792BE51 mov eax, dword ptr fs:[00000030h]	6_2_3792BE51
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37999E56 mov ecx, dword ptr fs:[00000030h]	6_2_37999E56
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_37905E40 mov eax, dword ptr fs:[00000030h]	6_2_37905E40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_379ADE46 mov eax, dword ptr fs:[00000030h]	6_2_379ADE46
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 6_2_378EBE78 mov ecx, dword ptr fs:[00000030h]	6_2_378EBE78

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

0_2_00403665

Stealing of Sensitive Information

Source: Yara match

File source: 00000006.00000002.3534624470.0000000000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match

File source: 00000006.00000002.3534624470.0000000000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0GuwV0t2UU.exe	58%	ReversingLabs	Win32.Trojan.Guloader
0GuwV0t2UU.exe	100%	Avira	HEUR/AGEN.1336713

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsiBDD8.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://alfacen.com/escDKcLKdKFF2.bin	0%	Avira URL Cloud	safe
https://alfacen.com/	0%	Avira URL Cloud	safe
https://alfacen.com/&K	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
alfacen.com	193.107.36.30	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://alfacen.com/escDKcLKdKFF2.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0GuwV0t2UU.exe, 00000006.00000001.3135162309.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0GuwV0t2UU.exe, 00000006.00000001.3135162309.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	0GuwV0t2UU.exe, 00000000.00000000.2116328758.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000000.00000002.3135422638.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000006.00000000.3132180633.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
https://alfacen.com/	0GuwV0t2UU.exe, 00000006.00000002.3541181900.0000000007813000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://alfacen.com/&K	0GuwV0t2UU.exe, 00000006.00000002.3541181900.0000000007813000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0GuwV0t2UU.exe, 00000006.00000001.3135162309.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.107.36.30	alfacen.com	Bulgaria		201200	SUPERHOSTING_ASBG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549467
Start date and time:	2024-11-05 16:57:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0GuwV0t2UU.exe renamed because original name is a hash value
Original Sample Name:	d29146778b6cd9ce8c5d12a8f3fc16a9d25bdc27d2588bb0e70d57728deb0fff.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/9@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 56 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 0GuwV0t2UU.exe

Simulations

Behavior and APIs

Time	Type	Description
11:00:31	API Interceptor	3x Sleep call for process: 0GuwV0t2UU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.107.36.30	450707124374000811.exe	Get hash	malicious	GuLoader	Browse
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse
	SKM_C25024100408500.vbs	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
alfacen.com	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C25024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUPERHOSTING_ASBG	Rob.Kuster@stonhard.com.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.45.66.155
	zip file.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.45.66.155
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C25024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	lN65vHBnAu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.107.36.30
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	374UU58JVt.exe	Get hash	malicious	FormBook, GuLoader	Browse	193.107.36.30
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	193.107.36.30
	kzTEwlPWa0.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	193.107.36.30
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	193.107.36.30
	LqtjSIsoCg.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	EQ_AW24 New Order Request.xlx.exe	Get hash	malicious	GuLoader, StormKitty, XWorm	Browse	193.107.36.30

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiBDD8.tmp\System.dll	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Bestellung.vbs	Get hash	malicious	GuLoader	Browse
	Bestellung_101624.vbs	Get hash	malicious	GuLoader	Browse
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsiBDD8.tmp\System.dll

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse Filename: PO-33463334788.exe, Detection: malicious, Browse Filename: Brneforsorgspdagogers.exe, Detection: malicious, Browse Filename: Brneforsorgspdagogers.exe, Detection: malicious, Browse Filename: Bestellung.vbs, Detection: malicious, Browse Filename: Bestellung_101624.vbs, Detection: malicious, Browse Filename: SKM_C16024100408500.vbs, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsxBCAE.tmp

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	1946975
Entropy (8bit):	2.806117804909863
Encrypted:	false
SSDEEP:	12288:rR9mfmPGpuRRZ8fzb4ylVIXRmOE6gKEiW/aSz:F8cSuxqb4SVmRrg7/aSz
MD5:	5B3BB2247C7ECBB474B9D2DAD6B48F7F
SHA1:	4796B4FB3B381194AD4402FD32B6EA0DBCB90C56
SHA-256:	8AF0A5CC73F2E6AF20549B6B19A0E36BB8237D4F55F21AC9A0BA96DD1B188EFF
SHA-512:	933549DD6B71638B9775C9F536C56BE5F5BEF0E65D94A580DB9D64CF68BC870F51110153445F300E9D3C9B5E34E35BAF35158EEC7A685FB6D3C6262F5A8706F2
Malicious:	false
Reputation:	low
Preview:	vJ......,.......,.......\.......`-......DI......FJ...........................................................v..............................................................................................................................................................................G...Z...............h...............................................................g...............................................................j.............................................................................................................................../.......................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\fllesskabsejede\Modfaldent\Postnota.Ser

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	303518
Entropy (8bit):	7.693063601326674
Encrypted:	false
SSDEEP:	6144:ymfmP8hrVppgNRAGvMptu8fZZ7zbm3IkyZXV1ytd8fkW9ZoE6z:ymfmPGpuRRZ8fzb4ylVIXRmOE6z
MD5:	51581B43F9E295BE259A5A956CF2DA8F
SHA1:	2223CD8EB3D3F4588EBAA556C334B7B31931E5F6
SHA-256:	B5B3ACFB1E514A8EEFDBF28AFB9672B9DBB205A429A215CC70C9762D61DE0A40
SHA-512:	07CCA659E1C9E7A144710FF35388668DA21C0EAE6D876EF3062BF4482D3DD62F710DA6085666B80C3717BAA6FEBA71244D055B17549BB527FF21CCB704B4B779
Malicious:	false
Reputation:	low
Preview:	....................,...A... ........Y.. ................j............CCC.P.........~.........==.....k...........8888...........0....wwww.....&............nn.....HHH.{{........~.fff.....p...&...-...jj....................................00.vvv..................v......2......]]].....k..&.....mm.................J.X.........g..o...............i....!....bbb.............................B................G...............V..qq...................;;;.....nnn........../.'..............................................1..Q.=.3............0...........%%%%%.I.....2.111111. .).............................=......k.:...........kk.kk.....C..h......'..............K...................\\\......f........www.c....................................................QQ...z...:............l..............$$$$............5.......aaa.J..\\..SS...FFF..............4444...........@@..NNNN.......:.^..++......................~......>.N...................q.........II........8.............).........................>.......

C:\Users\user\fllesskabsejede\Modfaldent\Upstander.Rum

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	69084
Entropy (8bit):	4.603760453423635
Encrypted:	false
SSDEEP:	1536:7z9lFzNYTn70XJGL4lb6Wl5ExQHzQmlhrBl48V:FDBI70XcGbn5EeHznxoq
MD5:	ACB2833B890437599A3E6A332916AC8D
SHA1:	4D80FEDC90EFDF3F68AD05F71E4DA687084EF8C4
SHA-256:	1F7C38980704550B4E915F4137F30004BBF3EC81BCC61ADB7E88C6D9DE343E45
SHA-512:	6B4BEE3FACED797A01920BE6230244E901E35706FE4274FF1625AEAB1C5DD9D61CDDE173596B2311DCA9344DF0E6B41585E5788CAADDA62E8FB8B1C312F433CF
Malicious:	false
Reputation:	low
Preview:	...Z...U...{{....................]...b....................................O.[[.mm..............Q......................N.........[[...........(.WW....;.UU.jj............J....................................ttt."......................\..`..........w.........`............P.@....%%...{....ooo.................................................}}}}}}}}.....??...ww...VVVV...........JJ.....................******........1...............iiiii...........TTT.......7..............___.`.......0................{.......hh...~~............................iii......................d.kk.}.OO...............?...j.........qq..CCC..'.......f.ggg...............!!......TTT..7...w........OO.........''.....TT..............cc.}}}.......%..((.....o.............**..b...............tttt........................^.................XXX....................Y...........t.llll.....LL..P........R.FF.=.....$.R.....++.}..............h......}}}}}.....T.::::..v.FF.U.....ss................x.......ggg.................. ........

C:\Users\user\fllesskabsejede\Modfaldent\brevformularens.ste

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	449187
Entropy (8bit):	1.237422861698846
Encrypted:	false
SSDEEP:	1536:eC1rHCXyOIiJOV+okMSfFtaFhH6FSr75qYdB04whG:eC1r5OIiJz/iXH6FSr7IIrwhG
MD5:	CA16C710B6F58865710B74F64D516AC5
SHA1:	E67537C4BC3C64F4085305F81C5595732E36E9CD
SHA-256:	251E742EEC6E46D3FA512EB3CE25A2DDEF371CFF7E5F3596D98F1BBCD028ED6F
SHA-512:	9ED1024823C038B7CF951ECD73779EB492B0D858994848A752F36A7480BB573AA032E3C5684697A0AD89F8DE189460D236A3015805F450D0F5703B84E873AF3A
Malicious:	false
Reputation:	low
Preview:	...................................................."........../.......................T.....................v........j.......................(...........................................................Q......................................................................................................................................................................Z........................D................................^..........................................................T......................................................}.....m...+.......................................$.............G............b......................@...................................................................y............................B.........................6....................*................!......6.....................................{...................<../..........C.....................................................;......................................................8........

C:\Users\user\fllesskabsejede\Modfaldent\irritabel.lic

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	465587
Entropy (8bit):	1.258057339820465
Encrypted:	false
SSDEEP:	768:5ey7/lr4xtCx8bJJGSu+O+sKqBXJwdTd7QJTB4+3GIc+u0ehBDl2jkv7qfadwjus:zOrUXKKtq6s5Jj3X1ir
MD5:	F7A3A6A56220B4F010490D77066CC809
SHA1:	658A58A63948A2E3D2DAA133F1A962090C6F56B5
SHA-256:	78052B085ECF2B27FA90AD47EA7DA69AF0FE075FD81FA4F62DEE0324912062FD
SHA-512:	B7AAA9767FB1FDE4948678AF664567126926311ECDA34C3D6C0F01C36DD126FC9233CEFDE6A0CDFC200B716143F4FA333B7F3039BDC145376B1AA67C820DC3BD
Malicious:	false
Preview:	....................".................................A........v.........................................................................G.......................T.......................................................................................................N...........................J..................s......`.................>.......>..........._._.i.....................................................................................................................................4...........................m....................<...............ry....s.........Z...................B.................................^..............$...........................a...........................................q...........................B........................................................5...............................................l.........................@........p.........................................................................................7.......i.........E....

C:\Users\user\fllesskabsejede\Modfaldent\osteodentinal.txt

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	464
Entropy (8bit):	4.2785660816531506
Encrypted:	false
SSDEEP:	6:eAbLsAJn+tmAXRbALVWHy5qLCA0Ybl/3WYJUXq19F0zXZ6Zy65YMEAHbzMa3GeQk:UAmCvOD0YdeX8ioZ/THZ2evzBb1
MD5:	0B2D2CB964A22694778B3639FB67E1D0
SHA1:	75EC16F528D750772DA87CF82B89AEAE9651CD2C
SHA-256:	604E104ADEDA28672779957466B71CF51B610BDEA5A1C3D54084CBA0C239ED1C
SHA-512:	1357F9129AA23F546CE5F4F9821C209928D39109E67F273A83914E25F7BA9D10A7A2D0ACD44AE507FCAC9B88780CFAD371508403E95FD56520CBC31AB3793F4E
Malicious:	false
Preview:	unrepentant underdrive unnovel megalopore learchus samletank overbait fluevgteren studio sportsfly..appellabelt centro ttninger forhaabnings nrarucu uddataskemaernes,tyvekronesedlens reproduktioner gevirer mikrofonens anbefalelsesvrdigstes podargidae knapstvlers..arculite riningerne autoriserings pyrotechnician chatelaines percolating.pluripartite biavl physiopathologic recoloration sapful creedalist,windermost fibrocytic vandpest oakenshaw genopfrtes caitiff.

C:\Users\user\fllesskabsejede\Modfaldent\subsidieringens.lan

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	355322
Entropy (8bit):	1.248668847963627
Encrypted:	false
SSDEEP:	768:aMrIrJVUmy9wRXGk+LZS+DgA/uaOPNAaT2jd9JE66AUw0oGjg3cSnZSSM/iu8MRt:7wcjuacoqXjg3hgNltIS1vB/E8g
MD5:	F7F3749CDD0D5BADCBB47E3D35654BF1
SHA1:	889CA65BD3EDAFCCDB90C2CA5C72185A6FEC3436
SHA-256:	8CD826E589CDBAB5B02AE83033424D4CC0B0E3DCACAEB207F7D20CA917022564
SHA-512:	5BDA06183A804C9E4172293F48F74745A02533FACF8604542EA39E4C38DBD1A7ACACB1DD1AB158A635C1CD1E0B19698127CA97CCD6AA16D0EEEAEAF22555B1B0
Malicious:	false
Preview:	.................................................................\|........................................................A....X.o.......................U...........q......................................(.......................................................\|......................................................................._...}.......................................g.................................&..............................................................................7.t....F.........................$...T.............7.............w.........................................................d............................................................................................................}..........N....................!.#.....*.............b............................b..M.....M........S................P...............G................&....h......H..........................}..........i....f.................................e.'..<k...../.s........................

C:\Users\user\fllesskabsejede\Modfaldent\undiscoursed.can