Windows Analysis Report
0GuwV0t2UU.exe

AI detected suspicious sample

Source: Yara match

File source: 00000007.00000002.3145283903.0000000037460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 0GuwV0t2UU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: 0GuwV0t2UU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0GuwV0t2UU.exe, 00000007.00000002.3145323147.000000003796E000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.00000000377D0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2779347987.000000003761C000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777362328.0000000037463000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0GuwV0t2UU.exe, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.000000003796E000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.00000000377D0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2779347987.000000003761C000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777362328.0000000037463000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_004069FF FindFirstFileW,FindClose,	0_2_004069FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405DAE

Source: Joe Sandbox View

IP Address: 193.107.36.30 193.107.36.30

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49708

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /escDKcLKdKFF2.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: alfacen.com

Source: 0GuwV0t2UU.exe, 00000000.00000002.2399942907.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000000.00000000.1398904537.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 0GuwV0t2UU.exe, 00000007.00000002.3115603087.0000000007523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/
Source: 0GuwV0t2UU.exe, 00000007.00000002.3115603087.0000000007523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/8
Source: 0GuwV0t2UU.exe, 00000007.00000002.3143905331.0000000036BE0000.00000004.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777936328.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777753505.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3115865234.0000000007536000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/escDKcLKdKFF2.bin
Source: 0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/escDKcLKdKFF2.bin$
Source: 0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/escDKcLKdKFF2.bin.
Source: 0GuwV0t2UU.exe, 00000007.00000003.2777936328.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777753505.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3115865234.0000000007536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/escDKcLKdKFF2.bin=
Source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00405866 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405866

E-Banking Fraud

Source: Yara match

File source: 00000007.00000002.3145283903.0000000037460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378435C0 NtCreateMutant,LdrInitializeThunk,	7_2_378435C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_37842DF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37843090 NtSetValueKey,	7_2_37843090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37843010 NtOpenDirectoryObject,	7_2_37843010
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37843D10 NtOpenProcessToken,	7_2_37843D10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37843D70 NtOpenThread,	7_2_37843D70
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378439B0 NtGetContextThread,	7_2_378439B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37844650 NtSuspendThread,	7_2_37844650
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37844340 NtSetContextThread,	7_2_37844340
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842F90 NtProtectVirtualMemory,	7_2_37842F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842FA0 NtQuerySection,	7_2_37842FA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842FB0 NtResumeThread,	7_2_37842FB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842FE0 NtCreateFile,	7_2_37842FE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842F30 NtCreateSection,	7_2_37842F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842F60 NtCreateProcessEx,	7_2_37842F60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842E80 NtReadVirtualMemory,	7_2_37842E80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842EA0 NtAdjustPrivilegesToken,	7_2_37842EA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842EE0 NtQueueApcThread,	7_2_37842EE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842E30 NtWriteVirtualMemory,	7_2_37842E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842DB0 NtEnumerateKey,	7_2_37842DB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842DD0 NtDelayExecution,	7_2_37842DD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842D00 NtSetInformationFile,	7_2_37842D00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842D10 NtMapViewOfSection,	7_2_37842D10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842D30 NtUnmapViewOfSection,	7_2_37842D30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842CA0 NtQueryInformationToken,	7_2_37842CA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842CC0 NtQueryVirtualMemory,	7_2_37842CC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842CF0 NtOpenProcess,	7_2_37842CF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842C00 NtQueryInformationProcess,	7_2_37842C00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842C60 NtCreateKey,	7_2_37842C60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842C70 NtFreeVirtualMemory,	7_2_37842C70
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842B80 NtQueryInformationFile,	7_2_37842B80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842BA0 NtEnumerateValueKey,	7_2_37842BA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842BE0 NtQueryValueKey,	7_2_37842BE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842BF0 NtAllocateVirtualMemory,	7_2_37842BF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842B60 NtClose,	7_2_37842B60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842AB0 NtWaitForSingleObject,	7_2_37842AB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842AD0 NtReadFile,	7_2_37842AD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37842AF0 NtWriteFile,	7_2_37842AF0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403665

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Windows\resources\0809

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00406DC0	0_2_00406DC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_6E9F1BFF	0_2_6E9F1BFF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CF7B0	7_2_378CF7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C16CC	7_2_378C16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37855630	7_2_37855630
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AD5B0	7_2_378AD5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D95C3	7_2_378D95C3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C7571	7_2_378C7571
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CF43F	7_2_378CF43F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3785739A	7_2_3785739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD34C	7_2_377FD34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C132D	7_2_378C132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378152A0	7_2_378152A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781B1B0	7_2_3781B1B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DB16B	7_2_378DB16B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3784516C	7_2_3784516C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF0CC	7_2_378BF0CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C70E9	7_2_378C70E9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CF0E0	7_2_378CF0E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CFFB1	7_2_378CFFB1
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CFF09	7_2_378CFF09
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D3FD5	7_2_377D3FD5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D3FD2	7_2_377D3FD2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37819EB0	7_2_37819EB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782FDC0	7_2_3782FDC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37813D40	7_2_37813D40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C1D5A	7_2_378C1D5A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C7D73	7_2_378C7D73
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CFCF2	7_2_378CFCF2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37889C32	7_2_37889C32
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782FB80	7_2_3782FB80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37885BF0	7_2_37885BF0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3784DBF9	7_2_3784DBF9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CFB76	7_2_378CFB76
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37855AA0	7_2_37855AA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADAAC	7_2_378ADAAC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B1AA3	7_2_378B1AA3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BDAC6	7_2_378BDAC6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CFA49	7_2_378CFA49
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C7A46	7_2_378C7A46
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37883A6C	7_2_37883A6C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A5910	7_2_378A5910
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37819950	7_2_37819950
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B950	7_2_3782B950
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378138E0	7_2_378138E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D800	7_2_3787D800
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780C7C0	7_2_3780C7C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37834750	7_2_37834750
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37810770	7_2_37810770
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782C6E0	7_2_3782C6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D0591	7_2_378D0591
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37810535	7_2_37810535
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BE4F6	7_2_378BE4F6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B4420	7_2_378B4420
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C2446	7_2_378C2446
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D03E6	7_2_378D03E6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781E3F0	7_2_3781E3F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CA352	7_2_378CA352
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378902C0	7_2_378902C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B0274	7_2_378B0274
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D01AA	7_2_378D01AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C41A2	7_2_378C41A2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C81CC	7_2_378C81CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37800100	7_2_37800100
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AA118	7_2_378AA118
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37898158	7_2_37898158
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A2000	7_2_378A2000
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788EFA0	7_2_3788EFA0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37802FC8	7_2_37802FC8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781CFE0	7_2_3781CFE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37852F28	7_2_37852F28
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37830F30	7_2_37830F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B2F30	7_2_378B2F30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37884F40	7_2_37884F40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37822E90	7_2_37822E90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CCE93	7_2_378CCE93
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CEEDB	7_2_378CEEDB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CEE26	7_2_378CEE26
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37810E59	7_2_37810E59
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37828DBF	7_2_37828DBF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780ADE0	7_2_3780ADE0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781AD00	7_2_3781AD00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ACD1F	7_2_378ACD1F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B0CB5	7_2_378B0CB5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37800CF2	7_2_37800CF2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37810C00	7_2_37810C00
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C6BD7	7_2_378C6BD7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CAB40	7_2_378CAB40
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780EA80	7_2_3780EA80
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378129A0	7_2_378129A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DA9A6	7_2_378DA9A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37826962	7_2_37826962
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783E8F0	7_2_3783E8F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781A840	7_2_3781A840
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37812840	7_2_37812840
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F68B8	7_2_377F68B8

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 377FB970 appears 280 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 37857E54 appears 111 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 3788F290 appears 103 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 37845130 appears 58 times
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: String function: 3787EA12 appears 82 times

Source: 0GuwV0t2UU.exe

Static PE information: invalid certificate

Source: 0GuwV0t2UU.exe, 00000007.00000002.3145323147.00000000378FD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0GuwV0t2UU.exe
Source: 0GuwV0t2UU.exe, 00000007.00000003.2777362328.0000000037586000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0GuwV0t2UU.exe

Source: 0GuwV0t2UU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

0_2_00403665

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_00404B12 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404B12

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\fllesskabsejede

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\AppData\Local\Temp\nsfC03D.tmp

Source: 0GuwV0t2UU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 0GuwV0t2UU.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File read: C:\Users\user\Desktop\0GuwV0t2UU.exe

Source: unknown	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Switches to a custom stack to bypass stack traces

Source: 0GuwV0t2UU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0GuwV0t2UU.exe, 00000007.00000002.3145323147.000000003796E000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.00000000377D0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2779347987.000000003761C000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777362328.0000000037463000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0GuwV0t2UU.exe, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.000000003796E000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3145323147.00000000377D0000.00000040.00001000.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2779347987.000000003761C000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777362328.0000000037463000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2401247870.00000000049AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_6E9F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E9F1BFF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_6E9F30C0 push eax; ret	0_2_6E9F30EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D1337 push eax; iretd	7_2_377D1369
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D27FA pushad ; ret	7_2_377D27F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D225F pushad ; ret	7_2_377D27F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378009AD push ecx; mov dword ptr [esp], ecx	7_2_378009B6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377D283D push eax; iretd	7_2_377D2858

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

File created: C:\Users\user\AppData\Local\Temp\nsaC158.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API/Special instruction interceptor: Address: 4C6D03F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API/Special instruction interceptor: Address: 2DFD03F

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	RDTSC instruction interceptor: First address: 4C2BA61 second address: 4C2BA61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FCFEC5181B7h 0x00000006 cmp bl, FFFFFF9Fh 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	RDTSC instruction interceptor: First address: 2DBBA61 second address: 2DBBA61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FCFED102C77h 0x00000006 cmp bl, FFFFFF9Fh 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 7_2_378D16A6 rdtsc

7_2_378D16A6

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaC158.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

API coverage: 0.1 %

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe TID: 6844

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_004069FF FindFirstFileW,FindClose,	0_2_004069FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405DAE

Source: 0GuwV0t2UU.exe, 00000007.00000002.3115865234.000000000753E000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777753505.000000000753E000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API call chain: ExitProcess graph end node			graph_0-4526
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	API call chain: ExitProcess graph end node			graph_0-4523

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 7_2_378D16A6 rdtsc

7_2_378D16A6

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 7_2_378435C0 NtCreateMutant,LdrInitializeThunk,

7_2_378435C0

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Code function: 0_2_6E9F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E9F1BFF

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF78A mov eax, dword ptr fs:[00000030h]	7_2_378BF78A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB765 mov eax, dword ptr fs:[00000030h]	7_2_377FB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB765 mov eax, dword ptr fs:[00000030h]	7_2_377FB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB765 mov eax, dword ptr fs:[00000030h]	7_2_377FB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB765 mov eax, dword ptr fs:[00000030h]	7_2_377FB765
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378897A9 mov eax, dword ptr fs:[00000030h]	7_2_378897A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788F7AF mov eax, dword ptr fs:[00000030h]	7_2_3788F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788F7AF mov eax, dword ptr fs:[00000030h]	7_2_3788F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788F7AF mov eax, dword ptr fs:[00000030h]	7_2_3788F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788F7AF mov eax, dword ptr fs:[00000030h]	7_2_3788F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788F7AF mov eax, dword ptr fs:[00000030h]	7_2_3788F7AF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782D7B0 mov eax, dword ptr fs:[00000030h]	7_2_3782D7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D37B6 mov eax, dword ptr fs:[00000030h]	7_2_378D37B6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BD7B0 mov eax, dword ptr fs:[00000030h]	7_2_378BD7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BD7B0 mov eax, dword ptr fs:[00000030h]	7_2_378BD7B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378057C0 mov eax, dword ptr fs:[00000030h]	7_2_378057C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378057C0 mov eax, dword ptr fs:[00000030h]	7_2_378057C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378057C0 mov eax, dword ptr fs:[00000030h]	7_2_378057C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9730 mov eax, dword ptr fs:[00000030h]	7_2_377F9730
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9730 mov eax, dword ptr fs:[00000030h]	7_2_377F9730
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D7E0 mov ecx, dword ptr fs:[00000030h]	7_2_3780D7E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37805702 mov eax, dword ptr fs:[00000030h]	7_2_37805702
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37805702 mov eax, dword ptr fs:[00000030h]	7_2_37805702
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807703 mov eax, dword ptr fs:[00000030h]	7_2_37807703
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783F71F mov eax, dword ptr fs:[00000030h]	7_2_3783F71F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783F71F mov eax, dword ptr fs:[00000030h]	7_2_3783F71F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803720 mov eax, dword ptr fs:[00000030h]	7_2_37803720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F720 mov eax, dword ptr fs:[00000030h]	7_2_3781F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F720 mov eax, dword ptr fs:[00000030h]	7_2_3781F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F720 mov eax, dword ptr fs:[00000030h]	7_2_3781F720
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF72E mov eax, dword ptr fs:[00000030h]	7_2_378BF72E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C972B mov eax, dword ptr fs:[00000030h]	7_2_378C972B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DB73C mov eax, dword ptr fs:[00000030h]	7_2_378DB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DB73C mov eax, dword ptr fs:[00000030h]	7_2_378DB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DB73C mov eax, dword ptr fs:[00000030h]	7_2_378DB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378DB73C mov eax, dword ptr fs:[00000030h]	7_2_378DB73C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37835734 mov eax, dword ptr fs:[00000030h]	7_2_37835734
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780973A mov eax, dword ptr fs:[00000030h]	7_2_3780973A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780973A mov eax, dword ptr fs:[00000030h]	7_2_3780973A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37813740 mov eax, dword ptr fs:[00000030h]	7_2_37813740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37813740 mov eax, dword ptr fs:[00000030h]	7_2_37813740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37813740 mov eax, dword ptr fs:[00000030h]	7_2_37813740
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D3749 mov eax, dword ptr fs:[00000030h]	7_2_378D3749
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF7BA mov eax, dword ptr fs:[00000030h]	7_2_377FF7BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A375F mov eax, dword ptr fs:[00000030h]	7_2_378A375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A375F mov eax, dword ptr fs:[00000030h]	7_2_378A375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A375F mov eax, dword ptr fs:[00000030h]	7_2_378A375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A375F mov eax, dword ptr fs:[00000030h]	7_2_378A375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A375F mov eax, dword ptr fs:[00000030h]	7_2_378A375F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788368C mov eax, dword ptr fs:[00000030h]	7_2_3788368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788368C mov eax, dword ptr fs:[00000030h]	7_2_3788368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788368C mov eax, dword ptr fs:[00000030h]	7_2_3788368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788368C mov eax, dword ptr fs:[00000030h]	7_2_3788368C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B6C0 mov eax, dword ptr fs:[00000030h]	7_2_3780B6C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C16CC mov eax, dword ptr fs:[00000030h]	7_2_378C16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C16CC mov eax, dword ptr fs:[00000030h]	7_2_378C16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C16CC mov eax, dword ptr fs:[00000030h]	7_2_378C16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C16CC mov eax, dword ptr fs:[00000030h]	7_2_378C16CC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF6C7 mov eax, dword ptr fs:[00000030h]	7_2_378BF6C7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378316CF mov eax, dword ptr fs:[00000030h]	7_2_378316CF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF626 mov eax, dword ptr fs:[00000030h]	7_2_377FF626
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782D6E0 mov eax, dword ptr fs:[00000030h]	7_2_3782D6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782D6E0 mov eax, dword ptr fs:[00000030h]	7_2_3782D6E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378936EE mov eax, dword ptr fs:[00000030h]	7_2_378936EE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378336EF mov eax, dword ptr fs:[00000030h]	7_2_378336EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BD6F0 mov eax, dword ptr fs:[00000030h]	7_2_378BD6F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783F603 mov eax, dword ptr fs:[00000030h]	7_2_3783F603
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37831607 mov eax, dword ptr fs:[00000030h]	7_2_37831607
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803616 mov eax, dword ptr fs:[00000030h]	7_2_37803616
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803616 mov eax, dword ptr fs:[00000030h]	7_2_37803616
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5636 mov eax, dword ptr fs:[00000030h]	7_2_378D5636
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F76B2 mov eax, dword ptr fs:[00000030h]	7_2_377F76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F76B2 mov eax, dword ptr fs:[00000030h]	7_2_377F76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F76B2 mov eax, dword ptr fs:[00000030h]	7_2_377F76B2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD6AA mov eax, dword ptr fs:[00000030h]	7_2_377FD6AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD6AA mov eax, dword ptr fs:[00000030h]	7_2_377FD6AA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37839660 mov eax, dword ptr fs:[00000030h]	7_2_37839660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37839660 mov eax, dword ptr fs:[00000030h]	7_2_37839660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3789D660 mov eax, dword ptr fs:[00000030h]	7_2_3789D660
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788B594 mov eax, dword ptr fs:[00000030h]	7_2_3788B594
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788B594 mov eax, dword ptr fs:[00000030h]	7_2_3788B594
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB562 mov eax, dword ptr fs:[00000030h]	7_2_377FB562
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215A9 mov eax, dword ptr fs:[00000030h]	7_2_378215A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215A9 mov eax, dword ptr fs:[00000030h]	7_2_378215A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215A9 mov eax, dword ptr fs:[00000030h]	7_2_378215A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215A9 mov eax, dword ptr fs:[00000030h]	7_2_378215A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215A9 mov eax, dword ptr fs:[00000030h]	7_2_378215A9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F5B0 mov eax, dword ptr fs:[00000030h]	7_2_3782F5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378935BA mov eax, dword ptr fs:[00000030h]	7_2_378935BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378935BA mov eax, dword ptr fs:[00000030h]	7_2_378935BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378935BA mov eax, dword ptr fs:[00000030h]	7_2_378935BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378935BA mov eax, dword ptr fs:[00000030h]	7_2_378935BA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF5BE mov eax, dword ptr fs:[00000030h]	7_2_378BF5BE
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3789D5B0 mov eax, dword ptr fs:[00000030h]	7_2_3789D5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3789D5B0 mov eax, dword ptr fs:[00000030h]	7_2_3789D5B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D35B6 mov eax, dword ptr fs:[00000030h]	7_2_378D35B6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378355C0 mov eax, dword ptr fs:[00000030h]	7_2_378355C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D55C9 mov eax, dword ptr fs:[00000030h]	7_2_378D55C9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D5D0 mov eax, dword ptr fs:[00000030h]	7_2_3787D5D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D5D0 mov ecx, dword ptr fs:[00000030h]	7_2_3787D5D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378295DA mov eax, dword ptr fs:[00000030h]	7_2_378295DA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D35D7 mov eax, dword ptr fs:[00000030h]	7_2_378D35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D35D7 mov eax, dword ptr fs:[00000030h]	7_2_378D35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D35D7 mov eax, dword ptr fs:[00000030h]	7_2_378D35D7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378215F4 mov eax, dword ptr fs:[00000030h]	7_2_378215F4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37837505 mov eax, dword ptr fs:[00000030h]	7_2_37837505
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37837505 mov ecx, dword ptr fs:[00000030h]	7_2_37837505
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BB52F mov eax, dword ptr fs:[00000030h]	7_2_378BB52F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AF525 mov eax, dword ptr fs:[00000030h]	7_2_378AF525
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783D530 mov eax, dword ptr fs:[00000030h]	7_2_3783D530
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783D530 mov eax, dword ptr fs:[00000030h]	7_2_3783D530
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780D534 mov eax, dword ptr fs:[00000030h]	7_2_3780D534
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5537 mov eax, dword ptr fs:[00000030h]	7_2_378D5537
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB550 mov eax, dword ptr fs:[00000030h]	7_2_378AB550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB550 mov eax, dword ptr fs:[00000030h]	7_2_378AB550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB550 mov eax, dword ptr fs:[00000030h]	7_2_378AB550
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F758F mov eax, dword ptr fs:[00000030h]	7_2_377F758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F758F mov eax, dword ptr fs:[00000030h]	7_2_377F758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F758F mov eax, dword ptr fs:[00000030h]	7_2_377F758F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783B570 mov eax, dword ptr fs:[00000030h]	7_2_3783B570
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783B570 mov eax, dword ptr fs:[00000030h]	7_2_3783B570
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37809486 mov eax, dword ptr fs:[00000030h]	7_2_37809486
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37809486 mov eax, dword ptr fs:[00000030h]	7_2_37809486
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378334B0 mov eax, dword ptr fs:[00000030h]	7_2_378334B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A74B0 mov eax, dword ptr fs:[00000030h]	7_2_378A74B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D54DB mov eax, dword ptr fs:[00000030h]	7_2_378D54DB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A94E0 mov eax, dword ptr fs:[00000030h]	7_2_378A94E0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D14F6 mov eax, dword ptr fs:[00000030h]	7_2_378D14F6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D14F6 mov eax, dword ptr fs:[00000030h]	7_2_378D14F6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782340D mov eax, dword ptr fs:[00000030h]	7_2_3782340D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37887410 mov eax, dword ptr fs:[00000030h]	7_2_37887410
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780B440 mov eax, dword ptr fs:[00000030h]	7_2_3780B440
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F74B0 mov eax, dword ptr fs:[00000030h]	7_2_377F74B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F74B0 mov eax, dword ptr fs:[00000030h]	7_2_377F74B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF453 mov eax, dword ptr fs:[00000030h]	7_2_378BF453
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB450 mov eax, dword ptr fs:[00000030h]	7_2_378AB450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB450 mov eax, dword ptr fs:[00000030h]	7_2_378AB450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB450 mov eax, dword ptr fs:[00000030h]	7_2_378AB450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB450 mov eax, dword ptr fs:[00000030h]	7_2_378AB450
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460 mov eax, dword ptr fs:[00000030h]	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460 mov eax, dword ptr fs:[00000030h]	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460 mov eax, dword ptr fs:[00000030h]	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460 mov eax, dword ptr fs:[00000030h]	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801460 mov eax, dword ptr fs:[00000030h]	7_2_37801460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781F460 mov eax, dword ptr fs:[00000030h]	7_2_3781F460
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D547F mov eax, dword ptr fs:[00000030h]	7_2_378D547F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB480 mov eax, dword ptr fs:[00000030h]	7_2_377FB480
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D539D mov eax, dword ptr fs:[00000030h]	7_2_378D539D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3785739A mov eax, dword ptr fs:[00000030h]	7_2_3785739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3785739A mov eax, dword ptr fs:[00000030h]	7_2_3785739A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378333A0 mov eax, dword ptr fs:[00000030h]	7_2_378333A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378333A0 mov eax, dword ptr fs:[00000030h]	7_2_378333A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378233A5 mov eax, dword ptr fs:[00000030h]	7_2_378233A5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9353 mov eax, dword ptr fs:[00000030h]	7_2_377F9353
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9353 mov eax, dword ptr fs:[00000030h]	7_2_377F9353
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD34C mov eax, dword ptr fs:[00000030h]	7_2_377FD34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD34C mov eax, dword ptr fs:[00000030h]	7_2_377FD34C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A13B9 mov eax, dword ptr fs:[00000030h]	7_2_378A13B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A13B9 mov eax, dword ptr fs:[00000030h]	7_2_378A13B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A13B9 mov eax, dword ptr fs:[00000030h]	7_2_378A13B9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F7330 mov eax, dword ptr fs:[00000030h]	7_2_377F7330
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BB3D0 mov ecx, dword ptr fs:[00000030h]	7_2_378BB3D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF3E6 mov eax, dword ptr fs:[00000030h]	7_2_378BF3E6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D53FC mov eax, dword ptr fs:[00000030h]	7_2_378D53FC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788930B mov eax, dword ptr fs:[00000030h]	7_2_3788930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788930B mov eax, dword ptr fs:[00000030h]	7_2_3788930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788930B mov eax, dword ptr fs:[00000030h]	7_2_3788930B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C132D mov eax, dword ptr fs:[00000030h]	7_2_378C132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C132D mov eax, dword ptr fs:[00000030h]	7_2_378C132D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F32A mov eax, dword ptr fs:[00000030h]	7_2_3782F32A
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5341 mov eax, dword ptr fs:[00000030h]	7_2_378D5341
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF367 mov eax, dword ptr fs:[00000030h]	7_2_378BF367
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807370 mov eax, dword ptr fs:[00000030h]	7_2_37807370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807370 mov eax, dword ptr fs:[00000030h]	7_2_37807370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807370 mov eax, dword ptr fs:[00000030h]	7_2_37807370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A3370 mov eax, dword ptr fs:[00000030h]	7_2_378A3370
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5283 mov eax, dword ptr fs:[00000030h]	7_2_378D5283
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783329E mov eax, dword ptr fs:[00000030h]	7_2_3783329E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783329E mov eax, dword ptr fs:[00000030h]	7_2_3783329E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378152A0 mov eax, dword ptr fs:[00000030h]	7_2_378152A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378152A0 mov eax, dword ptr fs:[00000030h]	7_2_378152A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378152A0 mov eax, dword ptr fs:[00000030h]	7_2_378152A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378152A0 mov eax, dword ptr fs:[00000030h]	7_2_378152A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378972A0 mov eax, dword ptr fs:[00000030h]	7_2_378972A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378972A0 mov eax, dword ptr fs:[00000030h]	7_2_378972A0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C92A6 mov eax, dword ptr fs:[00000030h]	7_2_378C92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C92A6 mov eax, dword ptr fs:[00000030h]	7_2_378C92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C92A6 mov eax, dword ptr fs:[00000030h]	7_2_378C92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C92A6 mov eax, dword ptr fs:[00000030h]	7_2_378C92A6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378892BC mov eax, dword ptr fs:[00000030h]	7_2_378892BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378892BC mov eax, dword ptr fs:[00000030h]	7_2_378892BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378892BC mov ecx, dword ptr fs:[00000030h]	7_2_378892BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378892BC mov ecx, dword ptr fs:[00000030h]	7_2_378892BC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9240 mov eax, dword ptr fs:[00000030h]	7_2_377F9240
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9240 mov eax, dword ptr fs:[00000030h]	7_2_377F9240
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B2C0 mov eax, dword ptr fs:[00000030h]	7_2_3782B2C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378092C5 mov eax, dword ptr fs:[00000030h]	7_2_378092C5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378092C5 mov eax, dword ptr fs:[00000030h]	7_2_378092C5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F2D0 mov eax, dword ptr fs:[00000030h]	7_2_3782F2D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782F2D0 mov eax, dword ptr fs:[00000030h]	7_2_3782F2D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B12ED mov eax, dword ptr fs:[00000030h]	7_2_378B12ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D52E2 mov eax, dword ptr fs:[00000030h]	7_2_378D52E2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BF2F8 mov eax, dword ptr fs:[00000030h]	7_2_378BF2F8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB2F0 mov eax, dword ptr fs:[00000030h]	7_2_378AB2F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378AB2F0 mov eax, dword ptr fs:[00000030h]	7_2_378AB2F0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F92FF mov eax, dword ptr fs:[00000030h]	7_2_377F92FF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37837208 mov eax, dword ptr fs:[00000030h]	7_2_37837208
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37837208 mov eax, dword ptr fs:[00000030h]	7_2_37837208
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5227 mov eax, dword ptr fs:[00000030h]	7_2_378D5227
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB2D3 mov eax, dword ptr fs:[00000030h]	7_2_377FB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB2D3 mov eax, dword ptr fs:[00000030h]	7_2_377FB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB2D3 mov eax, dword ptr fs:[00000030h]	7_2_377FB2D3
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783724D mov eax, dword ptr fs:[00000030h]	7_2_3783724D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788D250 mov ecx, dword ptr fs:[00000030h]	7_2_3788D250
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BB256 mov eax, dword ptr fs:[00000030h]	7_2_378BB256
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BB256 mov eax, dword ptr fs:[00000030h]	7_2_378BB256
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CD26B mov eax, dword ptr fs:[00000030h]	7_2_378CD26B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CD26B mov eax, dword ptr fs:[00000030h]	7_2_378CD26B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37841270 mov eax, dword ptr fs:[00000030h]	7_2_37841270
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37841270 mov eax, dword ptr fs:[00000030h]	7_2_37841270
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37829274 mov eax, dword ptr fs:[00000030h]	7_2_37829274
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B5180 mov eax, dword ptr fs:[00000030h]	7_2_378B5180
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B5180 mov eax, dword ptr fs:[00000030h]	7_2_378B5180
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FF172 mov eax, dword ptr fs:[00000030h]	7_2_377FF172
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37857190 mov eax, dword ptr fs:[00000030h]	7_2_37857190
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B11A4 mov eax, dword ptr fs:[00000030h]	7_2_378B11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B11A4 mov eax, dword ptr fs:[00000030h]	7_2_378B11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B11A4 mov eax, dword ptr fs:[00000030h]	7_2_378B11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B11A4 mov eax, dword ptr fs:[00000030h]	7_2_378B11A4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781B1B0 mov eax, dword ptr fs:[00000030h]	7_2_3781B1B0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9148 mov eax, dword ptr fs:[00000030h]	7_2_377F9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9148 mov eax, dword ptr fs:[00000030h]	7_2_377F9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9148 mov eax, dword ptr fs:[00000030h]	7_2_377F9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377F9148 mov eax, dword ptr fs:[00000030h]	7_2_377F9148
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D51CB mov eax, dword ptr fs:[00000030h]	7_2_378D51CB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB136 mov eax, dword ptr fs:[00000030h]	7_2_377FB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB136 mov eax, dword ptr fs:[00000030h]	7_2_377FB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB136 mov eax, dword ptr fs:[00000030h]	7_2_377FB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FB136 mov eax, dword ptr fs:[00000030h]	7_2_377FB136
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783D1D0 mov eax, dword ptr fs:[00000030h]	7_2_3783D1D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783D1D0 mov ecx, dword ptr fs:[00000030h]	7_2_3783D1D0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D31E1 mov eax, dword ptr fs:[00000030h]	7_2_378D31E1
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378251EF mov eax, dword ptr fs:[00000030h]	7_2_378251EF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378051ED mov eax, dword ptr fs:[00000030h]	7_2_378051ED
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A71F9 mov esi, dword ptr fs:[00000030h]	7_2_378A71F9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D7120 mov eax, dword ptr fs:[00000030h]	7_2_378D7120
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801131 mov eax, dword ptr fs:[00000030h]	7_2_37801131
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801131 mov eax, dword ptr fs:[00000030h]	7_2_37801131
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37893140 mov eax, dword ptr fs:[00000030h]	7_2_37893140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37893140 mov eax, dword ptr fs:[00000030h]	7_2_37893140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37893140 mov eax, dword ptr fs:[00000030h]	7_2_37893140
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807152 mov eax, dword ptr fs:[00000030h]	7_2_37807152
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5152 mov eax, dword ptr fs:[00000030h]	7_2_378D5152
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37899179 mov eax, dword ptr fs:[00000030h]	7_2_37899179
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788D080 mov eax, dword ptr fs:[00000030h]	7_2_3788D080
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788D080 mov eax, dword ptr fs:[00000030h]	7_2_3788D080
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782D090 mov eax, dword ptr fs:[00000030h]	7_2_3782D090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782D090 mov eax, dword ptr fs:[00000030h]	7_2_3782D090
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37805096 mov eax, dword ptr fs:[00000030h]	7_2_37805096
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783909C mov eax, dword ptr fs:[00000030h]	7_2_3783909C
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov ecx, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov ecx, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov ecx, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov ecx, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378170C0 mov eax, dword ptr fs:[00000030h]	7_2_378170C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D0C0 mov eax, dword ptr fs:[00000030h]	7_2_3787D0C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D0C0 mov eax, dword ptr fs:[00000030h]	7_2_3787D0C0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D50D9 mov eax, dword ptr fs:[00000030h]	7_2_378D50D9
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378290DB mov eax, dword ptr fs:[00000030h]	7_2_378290DB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378250E4 mov eax, dword ptr fs:[00000030h]	7_2_378250E4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378250E4 mov ecx, dword ptr fs:[00000030h]	7_2_378250E4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C903E mov eax, dword ptr fs:[00000030h]	7_2_378C903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C903E mov eax, dword ptr fs:[00000030h]	7_2_378C903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C903E mov eax, dword ptr fs:[00000030h]	7_2_378C903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378C903E mov eax, dword ptr fs:[00000030h]	7_2_378C903E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782B052 mov eax, dword ptr fs:[00000030h]	7_2_3782B052
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A705E mov ebx, dword ptr fs:[00000030h]	7_2_378A705E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A705E mov eax, dword ptr fs:[00000030h]	7_2_378A705E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788106E mov eax, dword ptr fs:[00000030h]	7_2_3788106E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5060 mov eax, dword ptr fs:[00000030h]	7_2_378D5060
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov ecx, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811070 mov eax, dword ptr fs:[00000030h]	7_2_37811070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FD08D mov eax, dword ptr fs:[00000030h]	7_2_377FD08D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787D070 mov ecx, dword ptr fs:[00000030h]	7_2_3787D070
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov eax, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov eax, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov eax, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov ecx, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37811F92 mov eax, dword ptr fs:[00000030h]	7_2_37811F92
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A3F90 mov eax, dword ptr fs:[00000030h]	7_2_378A3F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A3F90 mov eax, dword ptr fs:[00000030h]	7_2_378A3F90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783BFB0 mov eax, dword ptr fs:[00000030h]	7_2_3783BFB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37841FB8 mov eax, dword ptr fs:[00000030h]	7_2_37841FB8
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803FC2 mov eax, dword ptr fs:[00000030h]	7_2_37803FC2
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BBFC0 mov ecx, dword ptr fs:[00000030h]	7_2_378BBFC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BBFC0 mov eax, dword ptr fs:[00000030h]	7_2_378BBFC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D3FC0 mov eax, dword ptr fs:[00000030h]	7_2_378D3FC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37831FCD mov eax, dword ptr fs:[00000030h]	7_2_37831FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37831FCD mov eax, dword ptr fs:[00000030h]	7_2_37831FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37831FCD mov eax, dword ptr fs:[00000030h]	7_2_37831FCD
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37883FD7 mov eax, dword ptr fs:[00000030h]	7_2_37883FD7
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783BFEC mov eax, dword ptr fs:[00000030h]	7_2_3783BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783BFEC mov eax, dword ptr fs:[00000030h]	7_2_3783BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783BFEC mov eax, dword ptr fs:[00000030h]	7_2_3783BFEC
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788DF10 mov eax, dword ptr fs:[00000030h]	7_2_3788DF10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37881F13 mov eax, dword ptr fs:[00000030h]	7_2_37881F13
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BDF2F mov eax, dword ptr fs:[00000030h]	7_2_378BDF2F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FBFD0 mov eax, dword ptr fs:[00000030h]	7_2_377FBFD0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378A7F3E mov eax, dword ptr fs:[00000030h]	7_2_378A7F3E
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3787FF42 mov eax, dword ptr fs:[00000030h]	7_2_3787FF42
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801F50 mov eax, dword ptr fs:[00000030h]	7_2_37801F50
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37837F51 mov eax, dword ptr fs:[00000030h]	7_2_37837F51
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782BF60 mov eax, dword ptr fs:[00000030h]	7_2_3782BF60
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FFF90 mov edi, dword ptr fs:[00000030h]	7_2_377FFF90
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FBE78 mov ecx, dword ptr fs:[00000030h]	7_2_377FBE78
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37833E8F mov eax, dword ptr fs:[00000030h]	7_2_37833E8F
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788DE9B mov eax, dword ptr fs:[00000030h]	7_2_3788DE9B
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37807E96 mov eax, dword ptr fs:[00000030h]	7_2_37807E96
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788DEAA mov eax, dword ptr fs:[00000030h]	7_2_3788DEAA
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADEB0 mov eax, dword ptr fs:[00000030h]	7_2_378ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADEB0 mov ecx, dword ptr fs:[00000030h]	7_2_378ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADEB0 mov eax, dword ptr fs:[00000030h]	7_2_378ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADEB0 mov eax, dword ptr fs:[00000030h]	7_2_378ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378ADEB0 mov eax, dword ptr fs:[00000030h]	7_2_378ADEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378BDEB0 mov eax, dword ptr fs:[00000030h]	7_2_378BDEB0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3780BEC0 mov eax, dword ptr fs:[00000030h]	7_2_3780BEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3782FEC0 mov eax, dword ptr fs:[00000030h]	7_2_3782FEC0
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3788FEC5 mov eax, dword ptr fs:[00000030h]	7_2_3788FEC5
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B9EDF mov eax, dword ptr fs:[00000030h]	7_2_378B9EDF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378B9EDF mov eax, dword ptr fs:[00000030h]	7_2_378B9EDF
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803EE1 mov eax, dword ptr fs:[00000030h]	7_2_37803EE1
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37833EEB mov ecx, dword ptr fs:[00000030h]	7_2_37833EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37833EEB mov eax, dword ptr fs:[00000030h]	7_2_37833EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37833EEB mov eax, dword ptr fs:[00000030h]	7_2_37833EEB
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CBEE6 mov eax, dword ptr fs:[00000030h]	7_2_378CBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CBEE6 mov eax, dword ptr fs:[00000030h]	7_2_378CBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CBEE6 mov eax, dword ptr fs:[00000030h]	7_2_378CBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378CBEE6 mov eax, dword ptr fs:[00000030h]	7_2_378CBEE6
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_377FDE10 mov eax, dword ptr fs:[00000030h]	7_2_377FDE10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803EF4 mov eax, dword ptr fs:[00000030h]	7_2_37803EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803EF4 mov eax, dword ptr fs:[00000030h]	7_2_37803EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37803EF4 mov eax, dword ptr fs:[00000030h]	7_2_37803EF4
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3783BE17 mov eax, dword ptr fs:[00000030h]	7_2_3783BE17
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D3E10 mov eax, dword ptr fs:[00000030h]	7_2_378D3E10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D3E10 mov eax, dword ptr fs:[00000030h]	7_2_378D3E10
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781DE2D mov eax, dword ptr fs:[00000030h]	7_2_3781DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781DE2D mov eax, dword ptr fs:[00000030h]	7_2_3781DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_3781DE2D mov eax, dword ptr fs:[00000030h]	7_2_3781DE2D
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801E30 mov eax, dword ptr fs:[00000030h]	7_2_37801E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_37801E30 mov eax, dword ptr fs:[00000030h]	7_2_37801E30
Source: C:\Users\user\Desktop\0GuwV0t2UU.exe	Code function: 7_2_378D5E37 mov eax, dword ptr fs:[00000030h]	7_2_378D5E37

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

Process created: C:\Users\user\Desktop\0GuwV0t2UU.exe "C:\Users\user\Desktop\0GuwV0t2UU.exe"

Source: C:\Users\user\Desktop\0GuwV0t2UU.exe

0_2_00403665

Stealing of Sensitive Information

Source: Yara match

File source: 00000007.00000002.3145283903.0000000037460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match

File source: 00000007.00000002.3145283903.0000000037460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0GuwV0t2UU.exe	58%	ReversingLabs	Win32.Trojan.Guloader
0GuwV0t2UU.exe	100%	Avira	HEUR/AGEN.1336713

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsaC158.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://alfacen.com/escDKcLKdKFF2.bin	0%	Avira URL Cloud	safe
https://alfacen.com/escDKcLKdKFF2.bin=	0%	Avira URL Cloud	safe
https://alfacen.com/8	0%	Avira URL Cloud	safe
https://alfacen.com/escDKcLKdKFF2.bin$	0%	Avira URL Cloud	safe
https://alfacen.com/escDKcLKdKFF2.bin.	0%	Avira URL Cloud	safe
https://alfacen.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
alfacen.com	193.107.36.30	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://alfacen.com/escDKcLKdKFF2.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0GuwV0t2UU.exe, 00000007.00000001.2399745830.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false		high
https://alfacen.com/escDKcLKdKFF2.bin$	0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0GuwV0t2UU.exe, 00000007.00000001.2399745830.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false		high
https://alfacen.com/8	0GuwV0t2UU.exe, 00000007.00000002.3115603087.0000000007523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	0GuwV0t2UU.exe, 00000000.00000002.2399942907.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 0GuwV0t2UU.exe, 00000000.00000000.1398904537.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
https://alfacen.com/	0GuwV0t2UU.exe, 00000007.00000002.3115603087.0000000007523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://alfacen.com/escDKcLKdKFF2.bin.	0GuwV0t2UU.exe, 00000007.00000002.3115603087.00000000074E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://alfacen.com/escDKcLKdKFF2.bin=	0GuwV0t2UU.exe, 00000007.00000003.2777936328.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000003.2777753505.0000000007534000.00000004.00000020.00020000.00000000.sdmp, 0GuwV0t2UU.exe, 00000007.00000002.3115865234.0000000007536000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0GuwV0t2UU.exe, 00000007.00000001.2399745830.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.107.36.30	alfacen.com	Bulgaria		201200	SUPERHOSTING_ASBG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549467
Start date and time:	2024-11-05 17:07:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0GuwV0t2UU.exe renamed because original name is a hash value
Original Sample Name:	d29146778b6cd9ce8c5d12a8f3fc16a9d25bdc27d2588bb0e70d57728deb0fff.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/9@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 56 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 0GuwV0t2UU.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.107.36.30	450707124374000811.exe	Get hash	malicious	GuLoader	Browse
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse
	SKM_C25024100408500.vbs	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
alfacen.com	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C25024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUPERHOSTING_ASBG	Rob.Kuster@stonhard.com.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.45.66.155
	zip file.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.45.66.155
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	Potwierdzenie.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	SKM_C16024100408500.vbs	Get hash	malicious	GuLoader	Browse	193.107.36.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	K22jLJUukr.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	H096Ewc7ki.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	193.107.36.30
	T4WYgRfsgy.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.107.36.30
	lN65vHBnAu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.107.36.30
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	374UU58JVt.exe	Get hash	malicious	FormBook, GuLoader	Browse	193.107.36.30
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	193.107.36.30
	kzTEwlPWa0.exe	Get hash	malicious	GuLoader	Browse	193.107.36.30

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsaC158.tmp\System.dll	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Bestellung.vbs	Get hash	malicious	GuLoader	Browse
	Bestellung_101624.vbs	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsaC158.tmp\System.dll

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse Filename: PO-33463334788.exe, Detection: malicious, Browse Filename: Brneforsorgspdagogers.exe, Detection: malicious, Browse Filename: Brneforsorgspdagogers.exe, Detection: malicious, Browse Filename: Bestellung.vbs, Detection: malicious, Browse Filename: Bestellung_101624.vbs, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsuC04D.tmp

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	1946975
Entropy (8bit):	2.806117804909863
Encrypted:	false
SSDEEP:	12288:rR9mfmPGpuRRZ8fzb4ylVIXRmOE6gKEiW/aSz:F8cSuxqb4SVmRrg7/aSz
MD5:	5B3BB2247C7ECBB474B9D2DAD6B48F7F
SHA1:	4796B4FB3B381194AD4402FD32B6EA0DBCB90C56
SHA-256:	8AF0A5CC73F2E6AF20549B6B19A0E36BB8237D4F55F21AC9A0BA96DD1B188EFF
SHA-512:	933549DD6B71638B9775C9F536C56BE5F5BEF0E65D94A580DB9D64CF68BC870F51110153445F300E9D3C9B5E34E35BAF35158EEC7A685FB6D3C6262F5A8706F2
Malicious:	false
Reputation:	low
Preview:	vJ......,.......,.......\.......`-......DI......FJ...........................................................v..............................................................................................................................................................................G...Z...............h...............................................................g...............................................................j.............................................................................................................................../.......................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\fllesskabsejede\Modfaldent\Postnota.Ser

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	303518
Entropy (8bit):	7.693063601326674
Encrypted:	false
SSDEEP:	6144:ymfmP8hrVppgNRAGvMptu8fZZ7zbm3IkyZXV1ytd8fkW9ZoE6z:ymfmPGpuRRZ8fzb4ylVIXRmOE6z
MD5:	51581B43F9E295BE259A5A956CF2DA8F
SHA1:	2223CD8EB3D3F4588EBAA556C334B7B31931E5F6
SHA-256:	B5B3ACFB1E514A8EEFDBF28AFB9672B9DBB205A429A215CC70C9762D61DE0A40
SHA-512:	07CCA659E1C9E7A144710FF35388668DA21C0EAE6D876EF3062BF4482D3DD62F710DA6085666B80C3717BAA6FEBA71244D055B17549BB527FF21CCB704B4B779
Malicious:	false
Reputation:	low
Preview:	....................,...A... ........Y.. ................j............CCC.P.........~.........==.....k...........8888...........0....wwww.....&............nn.....HHH.{{........~.fff.....p...&...-...jj....................................00.vvv..................v......2......]]].....k..&.....mm.................J.X.........g..o...............i....!....bbb.............................B................G...............V..qq...................;;;.....nnn........../.'..............................................1..Q.=.3............0...........%%%%%.I.....2.111111. .).............................=......k.:...........kk.kk.....C..h......'..............K...................\\\......f........www.c....................................................QQ...z...:............l..............$$$$............5.......aaa.J..\\..SS...FFF..............4444...........@@..NNNN.......:.^..++......................~......>.N...................q.........II........8.............).........................>.......

C:\Users\user\fllesskabsejede\Modfaldent\Upstander.Rum

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	69084
Entropy (8bit):	4.603760453423635
Encrypted:	false
SSDEEP:	1536:7z9lFzNYTn70XJGL4lb6Wl5ExQHzQmlhrBl48V:FDBI70XcGbn5EeHznxoq
MD5:	ACB2833B890437599A3E6A332916AC8D
SHA1:	4D80FEDC90EFDF3F68AD05F71E4DA687084EF8C4
SHA-256:	1F7C38980704550B4E915F4137F30004BBF3EC81BCC61ADB7E88C6D9DE343E45
SHA-512:	6B4BEE3FACED797A01920BE6230244E901E35706FE4274FF1625AEAB1C5DD9D61CDDE173596B2311DCA9344DF0E6B41585E5788CAADDA62E8FB8B1C312F433CF
Malicious:	false
Reputation:	low
Preview:	...Z...U...{{....................]...b....................................O.[[.mm..............Q......................N.........[[...........(.WW....;.UU.jj............J....................................ttt."......................\..`..........w.........`............P.@....%%...{....ooo.................................................}}}}}}}}.....??...ww...VVVV...........JJ.....................******........1...............iiiii...........TTT.......7..............___.`.......0................{.......hh...~~............................iii......................d.kk.}.OO...............?...j.........qq..CCC..'.......f.ggg...............!!......TTT..7...w........OO.........''.....TT..............cc.}}}.......%..((.....o.............**..b...............tttt........................^.................XXX....................Y...........t.llll.....LL..P........R.FF.=.....$.R.....++.}..............h......}}}}}.....T.::::..v.FF.U.....ss................x.......ggg.................. ........

C:\Users\user\fllesskabsejede\Modfaldent\brevformularens.ste

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	449187
Entropy (8bit):	1.237422861698846
Encrypted:	false
SSDEEP:	1536:eC1rHCXyOIiJOV+okMSfFtaFhH6FSr75qYdB04whG:eC1r5OIiJz/iXH6FSr7IIrwhG
MD5:	CA16C710B6F58865710B74F64D516AC5
SHA1:	E67537C4BC3C64F4085305F81C5595732E36E9CD
SHA-256:	251E742EEC6E46D3FA512EB3CE25A2DDEF371CFF7E5F3596D98F1BBCD028ED6F
SHA-512:	9ED1024823C038B7CF951ECD73779EB492B0D858994848A752F36A7480BB573AA032E3C5684697A0AD89F8DE189460D236A3015805F450D0F5703B84E873AF3A
Malicious:	false
Preview:	...................................................."........../.......................T.....................v........j.......................(...........................................................Q......................................................................................................................................................................Z........................D................................^..........................................................T......................................................}.....m...+.......................................$.............G............b......................@...................................................................y............................B.........................6....................*................!......6.....................................{...................<../..........C.....................................................;......................................................8........

C:\Users\user\fllesskabsejede\Modfaldent\irritabel.lic

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	465587
Entropy (8bit):	1.258057339820465
Encrypted:	false
SSDEEP:	768:5ey7/lr4xtCx8bJJGSu+O+sKqBXJwdTd7QJTB4+3GIc+u0ehBDl2jkv7qfadwjus:zOrUXKKtq6s5Jj3X1ir
MD5:	F7A3A6A56220B4F010490D77066CC809
SHA1:	658A58A63948A2E3D2DAA133F1A962090C6F56B5
SHA-256:	78052B085ECF2B27FA90AD47EA7DA69AF0FE075FD81FA4F62DEE0324912062FD
SHA-512:	B7AAA9767FB1FDE4948678AF664567126926311ECDA34C3D6C0F01C36DD126FC9233CEFDE6A0CDFC200B716143F4FA333B7F3039BDC145376B1AA67C820DC3BD
Malicious:	false
Preview:	....................".................................A........v.........................................................................G.......................T.......................................................................................................N...........................J..................s......`.................>.......>..........._._.i.....................................................................................................................................4...........................m....................<...............ry....s.........Z...................B.................................^..............$...........................a...........................................q...........................B........................................................5...............................................l.........................@........p.........................................................................................7.......i.........E....

C:\Users\user\fllesskabsejede\Modfaldent\osteodentinal.txt

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	464
Entropy (8bit):	4.2785660816531506
Encrypted:	false
SSDEEP:	6:eAbLsAJn+tmAXRbALVWHy5qLCA0Ybl/3WYJUXq19F0zXZ6Zy65YMEAHbzMa3GeQk:UAmCvOD0YdeX8ioZ/THZ2evzBb1
MD5:	0B2D2CB964A22694778B3639FB67E1D0
SHA1:	75EC16F528D750772DA87CF82B89AEAE9651CD2C
SHA-256:	604E104ADEDA28672779957466B71CF51B610BDEA5A1C3D54084CBA0C239ED1C
SHA-512:	1357F9129AA23F546CE5F4F9821C209928D39109E67F273A83914E25F7BA9D10A7A2D0ACD44AE507FCAC9B88780CFAD371508403E95FD56520CBC31AB3793F4E
Malicious:	false
Preview:	unrepentant underdrive unnovel megalopore learchus samletank overbait fluevgteren studio sportsfly..appellabelt centro ttninger forhaabnings nrarucu uddataskemaernes,tyvekronesedlens reproduktioner gevirer mikrofonens anbefalelsesvrdigstes podargidae knapstvlers..arculite riningerne autoriserings pyrotechnician chatelaines percolating.pluripartite biavl physiopathologic recoloration sapful creedalist,windermost fibrocytic vandpest oakenshaw genopfrtes caitiff.

C:\Users\user\fllesskabsejede\Modfaldent\subsidieringens.lan

Process:	C:\Users\user\Desktop\0GuwV0t2UU.exe
File Type:	data
Category:	dropped
Size (bytes):	355322
Entropy (8bit):	1.248668847963627
Encrypted:	false
SSDEEP:	768:aMrIrJVUmy9wRXGk+LZS+DgA/uaOPNAaT2jd9JE66AUw0oGjg3cSnZSSM/iu8MRt:7wcjuacoqXjg3hgNltIS1vB/E8g
MD5:	F7F3749CDD0D5BADCBB47E3D35654BF1
SHA1:	889CA65BD3EDAFCCDB90C2CA5C72185A6FEC3436
SHA-256:	8CD826E589CDBAB5B02AE83033424D4CC0B0E3DCACAEB207F7D20CA917022564
SHA-512:	5BDA06183A804C9E4172293F48F74745A02533FACF8604542EA39E4C38DBD1A7ACACB1DD1AB158A635C1CD1E0B19698127CA97CCD6AA16D0EEEAEAF22555B1B0
Malicious:	false
Preview:	.................................................................\|........................................................A....X.o.......................U...........q......................................(.......................................................\|......................................................................._...}.......................................g.................................&..............................................................................7.t....F.........................$...T.............7.............w.........................................................d............................................................................................................}..........N....................!.#.....*.............b............................b..M.....M........S................P...............G................&....h......H..........................}..........i....f.................................e.'..<k...../.s........................

C:\Users\user\fllesskabsejede\Modfaldent\undiscoursed.can