Windows Analysis Report
450707124374000811.exe

Overview

General Information

Sample name:	450707124374000811.exe
Analysis ID:	1538185
MD5:	22aeab62009aaa9073b3159d7da1195e
SHA1:	602dd47b6910a522be90fc47d10d5c26a836a01a
SHA256:	1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
Tags:	exeuser-Racco42
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Opens the same file many times (likely Sandbox evasion)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 450707124374000811.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 450707124374000811.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: 450707124374000811.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2

Source: 450707124374000811.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004065C5 FindFirstFileW,FindClose,	0_2_004065C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405990
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.107.36.30 193.107.36.30

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /GZgWeuQ77.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: alfacen.com

Source: 450707124374000811.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914434023.0000000034D30000.00000004.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893349281.000000000562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bin
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bine
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bine/Q
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.binf
Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405425

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\450707124374000811.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,	4_2_359635C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35962DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_35962DF0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35963090 NtSetValueKey,	4_2_35963090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35963010 NtOpenDirectoryObject,	4_2_35963010

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403373

Detected potential crypto function

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00404C62	0_2_00404C62
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00406ADD	0_2_00406ADD
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004072B4	0_2_004072B4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CD5B0	4_2_359CD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F95C3	4_2_359F95C3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E7571	4_2_359E7571
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF43F	4_2_359EF43F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF7B0	4_2_359EF7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35975630	4_2_35975630
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593B1B0	4_2_3593B1B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB16B	4_2_359FB16B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3596516C	4_2_3596516C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF0CC	4_2_359DF0CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E70E9	4_2_359E70E9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF0E0	4_2_359EF0E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D2F0	4_2_3594D2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED	4_2_359D12ED

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: String function: 3591B970 appears 96 times

PE file contains executable resources (Code or Archives)

Source: 450707124374000811.exe

Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Sample file is different than original file name gathered from version info

Source: 450707124374000811.exe, 00000004.00000002.2914801350.0000000035BC1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
Source: 450707124374000811.exe, 00000004.00000003.2862772211.00000000356C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
Source: 450707124374000811.exe, 00000004.00000003.2864836378.0000000035873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe

Uses 32bit PE files

Source: 450707124374000811.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/8@1/1

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00403373

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E6

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Roaming\pechay

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Local\Temp\nsfA7DB.tmp

Jump to behavior

Source: 450707124374000811.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\450707124374000811.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 450707124374000811.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\450707124374000811.exe

File read: C:\Users\user\Desktop\450707124374000811.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
Source: C:\Users\user\Desktop\450707124374000811.exe	Process created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"

Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 450707124374000811.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2468313249.0000000002BF8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_10002DE0 push eax; ret		0_2_10002E0E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_358F1368 push eax; iretd		4_2_358F1369

Drops PE files

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\450707124374000811.exe

File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\450707124374000811.exe	API/Special instruction interceptor: Address: 31291AD
Source: C:\Users\user\Desktop\450707124374000811.exe	API/Special instruction interceptor: Address: 1D091AD

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\450707124374000811.exe	RDTSC instruction interceptor: First address: 30EC9BB second address: 30EC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700C58778h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
Source: C:\Users\user\Desktop\450707124374000811.exe	RDTSC instruction interceptor: First address: 1CCC9BB second address: 1CCC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700D7BE88h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_3599D1C0 rdtsc

4_2_3599D1C0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\450707124374000811.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\450707124374000811.exe

API coverage: 0.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\450707124374000811.exe TID: 796

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004065C5 FindFirstFileW,FindClose,	0_2_004065C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405990
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\450707124374000811.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\450707124374000811.exe	API call chain: ExitProcess graph end node

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_3599D1C0 rdtsc

4_2_3599D1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,

4_2_359635C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]	4_2_359AB594
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]	4_2_359AB594
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF5BE mov eax, dword ptr fs:[00000030h]	4_2_359DF5BE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35B6 mov eax, dword ptr fs:[00000030h]	4_2_359F35B6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]	4_2_359BD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]	4_2_359BD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D5D0 mov eax, dword ptr fs:[00000030h]	4_2_3599D5D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D5D0 mov ecx, dword ptr fs:[00000030h]	4_2_3599D5D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359495DA mov eax, dword ptr fs:[00000030h]	4_2_359495DA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359555C0 mov eax, dword ptr fs:[00000030h]	4_2_359555C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F55C9 mov eax, dword ptr fs:[00000030h]	4_2_359F55C9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957505 mov eax, dword ptr fs:[00000030h]	4_2_35957505
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957505 mov ecx, dword ptr fs:[00000030h]	4_2_35957505
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]	4_2_3595D530
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]	4_2_3595D530
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5537 mov eax, dword ptr fs:[00000030h]	4_2_359F5537
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB52F mov eax, dword ptr fs:[00000030h]	4_2_359DB52F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]	4_2_3595B570
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]	4_2_3595B570
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B562 mov eax, dword ptr fs:[00000030h]	4_2_3591B562
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B480 mov eax, dword ptr fs:[00000030h]	4_2_3591B480
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]	4_2_35929486
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]	4_2_35929486
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]	4_2_359174B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]	4_2_359174B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359534B0 mov eax, dword ptr fs:[00000030h]	4_2_359534B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C74B0 mov eax, dword ptr fs:[00000030h]	4_2_359C74B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F54DB mov eax, dword ptr fs:[00000030h]	4_2_359F54DB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C94E0 mov eax, dword ptr fs:[00000030h]	4_2_359C94E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A7410 mov eax, dword ptr fs:[00000030h]	4_2_359A7410
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594340D mov eax, dword ptr fs:[00000030h]	4_2_3594340D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF453 mov eax, dword ptr fs:[00000030h]	4_2_359DF453
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F547F mov eax, dword ptr fs:[00000030h]	4_2_359F547F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF78A mov eax, dword ptr fs:[00000030h]	4_2_359DF78A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3594D7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F37B6 mov eax, dword ptr fs:[00000030h]	4_2_359F37B6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]	4_2_359DD7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]	4_2_359DD7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A97A9 mov eax, dword ptr fs:[00000030h]	4_2_359A97A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D7E0 mov ecx, dword ptr fs:[00000030h]	4_2_3592D7E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]	4_2_3595F71F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]	4_2_3595F71F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]	4_2_35925702
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]	4_2_35925702
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927703 mov eax, dword ptr fs:[00000030h]	4_2_35927703
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]	4_2_35919730
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]	4_2_35919730
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35955734 mov eax, dword ptr fs:[00000030h]	4_2_35955734
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]	4_2_3592973A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]	4_2_3592973A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923720 mov eax, dword ptr fs:[00000030h]	4_2_35923720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF72E mov eax, dword ptr fs:[00000030h]	4_2_359DF72E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E972B mov eax, dword ptr fs:[00000030h]	4_2_359E972B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F3749 mov eax, dword ptr fs:[00000030h]	4_2_359F3749
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]	4_2_3591D6AA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]	4_2_3591D6AA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF6C7 mov eax, dword ptr fs:[00000030h]	4_2_359DF6C7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359516CF mov eax, dword ptr fs:[00000030h]	4_2_359516CF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD6F0 mov eax, dword ptr fs:[00000030h]	4_2_359DD6F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3594D6E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3594D6E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]	4_2_35923616
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]	4_2_35923616
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35951607 mov eax, dword ptr fs:[00000030h]	4_2_35951607
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F603 mov eax, dword ptr fs:[00000030h]	4_2_3595F603
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5636 mov eax, dword ptr fs:[00000030h]	4_2_359F5636
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]	4_2_35959660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]	4_2_35959660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD660 mov eax, dword ptr fs:[00000030h]	4_2_359BD660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35977190 mov eax, dword ptr fs:[00000030h]	4_2_35977190
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]	4_2_359D5180
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]	4_2_359D5180
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593B1B0 mov eax, dword ptr fs:[00000030h]	4_2_3593B1B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D1D0 mov eax, dword ptr fs:[00000030h]	4_2_3595D1D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D1D0 mov ecx, dword ptr fs:[00000030h]	4_2_3595D1D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F51CB mov eax, dword ptr fs:[00000030h]	4_2_359F51CB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C71F9 mov esi, dword ptr fs:[00000030h]	4_2_359C71F9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F31E1 mov eax, dword ptr fs:[00000030h]	4_2_359F31E1
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359251ED mov eax, dword ptr fs:[00000030h]	4_2_359251ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]	4_2_35921131
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]	4_2_35921131
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F7120 mov eax, dword ptr fs:[00000030h]	4_2_359F7120
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927152 mov eax, dword ptr fs:[00000030h]	4_2_35927152
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5152 mov eax, dword ptr fs:[00000030h]	4_2_359F5152
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B9179 mov eax, dword ptr fs:[00000030h]	4_2_359B9179
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925096 mov eax, dword ptr fs:[00000030h]	4_2_35925096
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]	4_2_3594D090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]	4_2_3594D090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595909C mov eax, dword ptr fs:[00000030h]	4_2_3595909C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]	4_2_359AD080
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]	4_2_359AD080
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D08D mov eax, dword ptr fs:[00000030h]	4_2_3591D08D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F50D9 mov eax, dword ptr fs:[00000030h]	4_2_359F50D9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359490DB mov eax, dword ptr fs:[00000030h]	4_2_359490DB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3599D0C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3599D0C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359450E4 mov eax, dword ptr fs:[00000030h]	4_2_359450E4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359450E4 mov ecx, dword ptr fs:[00000030h]	4_2_359450E4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C705E mov ebx, dword ptr fs:[00000030h]	4_2_359C705E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C705E mov eax, dword ptr fs:[00000030h]	4_2_359C705E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B052 mov eax, dword ptr fs:[00000030h]	4_2_3594B052
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov ecx, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D070 mov ecx, dword ptr fs:[00000030h]	4_2_3599D070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A106E mov eax, dword ptr fs:[00000030h]	4_2_359A106E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5060 mov eax, dword ptr fs:[00000030h]	4_2_359F5060
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F539D mov eax, dword ptr fs:[00000030h]	4_2_359F539D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359433A5 mov eax, dword ptr fs:[00000030h]	4_2_359433A5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]	4_2_359533A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]	4_2_359533A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB3D0 mov ecx, dword ptr fs:[00000030h]	4_2_359DB3D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F53FC mov eax, dword ptr fs:[00000030h]	4_2_359F53FC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF3E6 mov eax, dword ptr fs:[00000030h]	4_2_359DF3E6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35917330 mov eax, dword ptr fs:[00000030h]	4_2_35917330
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F32A mov eax, dword ptr fs:[00000030h]	4_2_3594F32A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]	4_2_35919353
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]	4_2_35919353
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5341 mov eax, dword ptr fs:[00000030h]	4_2_359F5341
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C3370 mov eax, dword ptr fs:[00000030h]	4_2_359C3370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF367 mov eax, dword ptr fs:[00000030h]	4_2_359DF367
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]	4_2_3595329E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]	4_2_3595329E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5283 mov eax, dword ptr fs:[00000030h]	4_2_359F5283
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]	4_2_359B72A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]	4_2_359B72A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3594F2D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3594F2D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]	4_2_359292C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]	4_2_359292C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF2F8 mov eax, dword ptr fs:[00000030h]	4_2_359DF2F8
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]	4_2_359CB2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]	4_2_359CB2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359192FF mov eax, dword ptr fs:[00000030h]	4_2_359192FF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F52E2 mov eax, dword ptr fs:[00000030h]	4_2_359F52E2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]	4_2_35957208
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]	4_2_35957208
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5227 mov eax, dword ptr fs:[00000030h]	4_2_359F5227
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]	4_2_359DB256
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]	4_2_359DB256
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]	4_2_35919240
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]	4_2_35919240
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595724D mov eax, dword ptr fs:[00000030h]	4_2_3595724D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35949274 mov eax, dword ptr fs:[00000030h]	4_2_35949274

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00403373

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.107.36.30	alfacen.com	Bulgaria		201200	SUPERHOSTING_ASBG	false

Contacted Domains

Name	IP	Active
alfacen.com	193.107.36.30	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://alfacen.com/GZgWeuQ77.bin	false		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 450707124374000811.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 450707124374000811.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: 450707124374000811.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2

Source: 450707124374000811.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004065C5 FindFirstFileW,FindClose,	0_2_004065C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405990
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.107.36.30 193.107.36.30

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /GZgWeuQ77.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: alfacen.com

Source: 450707124374000811.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914434023.0000000034D30000.00000004.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893349281.000000000562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bin
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bine
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.bine/Q
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alfacen.com/GZgWeuQ77.binf
Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Source: unknown

HTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00405425

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\450707124374000811.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,	4_2_359635C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35962DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_35962DF0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35963090 NtSetValueKey,	4_2_35963090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35963010 NtOpenDirectoryObject,	4_2_35963010

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00403373

Detected potential crypto function

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00404C62	0_2_00404C62
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00406ADD	0_2_00406ADD
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004072B4	0_2_004072B4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CD5B0	4_2_359CD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F95C3	4_2_359F95C3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E7571	4_2_359E7571
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF43F	4_2_359EF43F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF7B0	4_2_359EF7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35975630	4_2_35975630
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593B1B0	4_2_3593B1B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB16B	4_2_359FB16B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3596516C	4_2_3596516C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF0CC	4_2_359DF0CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E70E9	4_2_359E70E9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359EF0E0	4_2_359EF0E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D2F0	4_2_3594D2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED	4_2_359D12ED

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: String function: 3591B970 appears 96 times

PE file contains executable resources (Code or Archives)

Source: 450707124374000811.exe

Sample file is different than original file name gathered from version info

Source: 450707124374000811.exe, 00000004.00000002.2914801350.0000000035BC1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
Source: 450707124374000811.exe, 00000004.00000003.2862772211.00000000356C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
Source: 450707124374000811.exe, 00000004.00000003.2864836378.0000000035873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe

Uses 32bit PE files

Source: 450707124374000811.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/8@1/1

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00403373

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E6

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Roaming\pechay

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Local\Temp\nsfA7DB.tmp

Jump to behavior

Source: 450707124374000811.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\450707124374000811.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 450707124374000811.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\450707124374000811.exe

File read: C:\Users\user\Desktop\450707124374000811.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
Source: C:\Users\user\Desktop\450707124374000811.exe	Process created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"

Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 450707124374000811.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2468313249.0000000002BF8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_10002DE0 push eax; ret		0_2_10002E0E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_358F1368 push eax; iretd		4_2_358F1369

Drops PE files

Source: C:\Users\user\Desktop\450707124374000811.exe

File created: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\450707124374000811.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\450707124374000811.exe

File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\450707124374000811.exe	API/Special instruction interceptor: Address: 31291AD
Source: C:\Users\user\Desktop\450707124374000811.exe	API/Special instruction interceptor: Address: 1D091AD

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\450707124374000811.exe	RDTSC instruction interceptor: First address: 30EC9BB second address: 30EC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700C58778h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
Source: C:\Users\user\Desktop\450707124374000811.exe	RDTSC instruction interceptor: First address: 1CCC9BB second address: 1CCC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700D7BE88h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_3599D1C0 rdtsc

4_2_3599D1C0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\450707124374000811.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\450707124374000811.exe

API coverage: 0.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\450707124374000811.exe TID: 796

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_004065C5 FindFirstFileW,FindClose,	0_2_004065C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405990
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\450707124374000811.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\450707124374000811.exe	API call chain: ExitProcess graph end node

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_3599D1C0 rdtsc

4_2_3599D1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,

4_2_359635C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\450707124374000811.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]	4_2_359AB594
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]	4_2_359AB594
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]	4_2_3591758F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]	4_2_359B35BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF5BE mov eax, dword ptr fs:[00000030h]	4_2_359DF5BE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3594F5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35B6 mov eax, dword ptr fs:[00000030h]	4_2_359F35B6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]	4_2_359BD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]	4_2_359BD5B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]	4_2_359415A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]	4_2_359F35D7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D5D0 mov eax, dword ptr fs:[00000030h]	4_2_3599D5D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D5D0 mov ecx, dword ptr fs:[00000030h]	4_2_3599D5D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359495DA mov eax, dword ptr fs:[00000030h]	4_2_359495DA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359555C0 mov eax, dword ptr fs:[00000030h]	4_2_359555C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F55C9 mov eax, dword ptr fs:[00000030h]	4_2_359F55C9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]	4_2_359415F4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957505 mov eax, dword ptr fs:[00000030h]	4_2_35957505
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957505 mov ecx, dword ptr fs:[00000030h]	4_2_35957505
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]	4_2_3595D530
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]	4_2_3595D530
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]	4_2_3592D534
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5537 mov eax, dword ptr fs:[00000030h]	4_2_359F5537
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB52F mov eax, dword ptr fs:[00000030h]	4_2_359DB52F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]	4_2_359CF525
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]	4_2_359CB550
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]	4_2_3595B570
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]	4_2_3595B570
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B562 mov eax, dword ptr fs:[00000030h]	4_2_3591B562
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B480 mov eax, dword ptr fs:[00000030h]	4_2_3591B480
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]	4_2_35929486
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]	4_2_35929486
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]	4_2_359174B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]	4_2_359174B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359534B0 mov eax, dword ptr fs:[00000030h]	4_2_359534B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C74B0 mov eax, dword ptr fs:[00000030h]	4_2_359C74B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F54DB mov eax, dword ptr fs:[00000030h]	4_2_359F54DB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C94E0 mov eax, dword ptr fs:[00000030h]	4_2_359C94E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A7410 mov eax, dword ptr fs:[00000030h]	4_2_359A7410
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594340D mov eax, dword ptr fs:[00000030h]	4_2_3594340D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]	4_2_359CB450
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF453 mov eax, dword ptr fs:[00000030h]	4_2_359DF453
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]	4_2_3592B440
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F547F mov eax, dword ptr fs:[00000030h]	4_2_359F547F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]	4_2_35921460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]	4_2_3593F460
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF78A mov eax, dword ptr fs:[00000030h]	4_2_359DF78A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3594D7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F37B6 mov eax, dword ptr fs:[00000030h]	4_2_359F37B6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]	4_2_3591F7BA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]	4_2_359DD7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]	4_2_359DD7B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A97A9 mov eax, dword ptr fs:[00000030h]	4_2_359A97A9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]	4_2_359AF7AF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]	4_2_359257C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592D7E0 mov ecx, dword ptr fs:[00000030h]	4_2_3592D7E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]	4_2_3595F71F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]	4_2_3595F71F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]	4_2_35925702
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]	4_2_35925702
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927703 mov eax, dword ptr fs:[00000030h]	4_2_35927703
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]	4_2_35919730
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]	4_2_35919730
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35955734 mov eax, dword ptr fs:[00000030h]	4_2_35955734
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]	4_2_359FB73C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]	4_2_3592973A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]	4_2_3592973A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923720 mov eax, dword ptr fs:[00000030h]	4_2_35923720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]	4_2_3593F720
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF72E mov eax, dword ptr fs:[00000030h]	4_2_359DF72E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E972B mov eax, dword ptr fs:[00000030h]	4_2_359E972B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]	4_2_359C375F
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]	4_2_35933740
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F3749 mov eax, dword ptr fs:[00000030h]	4_2_359F3749
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]	4_2_3591B765
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]	4_2_359A368C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]	4_2_359176B2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]	4_2_3591D6AA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]	4_2_3591D6AA
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3592B6C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]	4_2_359E16CC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF6C7 mov eax, dword ptr fs:[00000030h]	4_2_359DF6C7
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359516CF mov eax, dword ptr fs:[00000030h]	4_2_359516CF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DD6F0 mov eax, dword ptr fs:[00000030h]	4_2_359DD6F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3594D6E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3594D6E0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]	4_2_359B36EE
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]	4_2_35923616
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]	4_2_35923616
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35951607 mov eax, dword ptr fs:[00000030h]	4_2_35951607
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595F603 mov eax, dword ptr fs:[00000030h]	4_2_3595F603
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5636 mov eax, dword ptr fs:[00000030h]	4_2_359F5636
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]	4_2_3591F626
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]	4_2_35959660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]	4_2_35959660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359BD660 mov eax, dword ptr fs:[00000030h]	4_2_359BD660
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35977190 mov eax, dword ptr fs:[00000030h]	4_2_35977190
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]	4_2_359D5180
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]	4_2_359D5180
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3593B1B0 mov eax, dword ptr fs:[00000030h]	4_2_3593B1B0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]	4_2_359D11A4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D1D0 mov eax, dword ptr fs:[00000030h]	4_2_3595D1D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595D1D0 mov ecx, dword ptr fs:[00000030h]	4_2_3595D1D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F51CB mov eax, dword ptr fs:[00000030h]	4_2_359F51CB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C71F9 mov esi, dword ptr fs:[00000030h]	4_2_359C71F9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]	4_2_359451EF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F31E1 mov eax, dword ptr fs:[00000030h]	4_2_359F31E1
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359251ED mov eax, dword ptr fs:[00000030h]	4_2_359251ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]	4_2_35921131
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]	4_2_35921131
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]	4_2_3591B136
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F7120 mov eax, dword ptr fs:[00000030h]	4_2_359F7120
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927152 mov eax, dword ptr fs:[00000030h]	4_2_35927152
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5152 mov eax, dword ptr fs:[00000030h]	4_2_359F5152
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]	4_2_35919148
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]	4_2_359B3140
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B9179 mov eax, dword ptr fs:[00000030h]	4_2_359B9179
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]	4_2_3591F172
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35925096 mov eax, dword ptr fs:[00000030h]	4_2_35925096
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]	4_2_3594D090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]	4_2_3594D090
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595909C mov eax, dword ptr fs:[00000030h]	4_2_3595909C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]	4_2_359AD080
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]	4_2_359AD080
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D08D mov eax, dword ptr fs:[00000030h]	4_2_3591D08D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F50D9 mov eax, dword ptr fs:[00000030h]	4_2_359F50D9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359490DB mov eax, dword ptr fs:[00000030h]	4_2_359490DB
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]	4_2_359370C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3599D0C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3599D0C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359450E4 mov eax, dword ptr fs:[00000030h]	4_2_359450E4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359450E4 mov ecx, dword ptr fs:[00000030h]	4_2_359450E4
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]	4_2_359E903E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C705E mov ebx, dword ptr fs:[00000030h]	4_2_359C705E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C705E mov eax, dword ptr fs:[00000030h]	4_2_359C705E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B052 mov eax, dword ptr fs:[00000030h]	4_2_3594B052
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov ecx, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]	4_2_35931070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3599D070 mov ecx, dword ptr fs:[00000030h]	4_2_3599D070
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A106E mov eax, dword ptr fs:[00000030h]	4_2_359A106E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5060 mov eax, dword ptr fs:[00000030h]	4_2_359F5060
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F539D mov eax, dword ptr fs:[00000030h]	4_2_359F539D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]	4_2_3597739A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]	4_2_359C13B9
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359433A5 mov eax, dword ptr fs:[00000030h]	4_2_359433A5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]	4_2_359533A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]	4_2_359533A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB3D0 mov ecx, dword ptr fs:[00000030h]	4_2_359DB3D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F53FC mov eax, dword ptr fs:[00000030h]	4_2_359F53FC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF3E6 mov eax, dword ptr fs:[00000030h]	4_2_359DF3E6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]	4_2_359A930B
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35917330 mov eax, dword ptr fs:[00000030h]	4_2_35917330
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]	4_2_359E132D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F32A mov eax, dword ptr fs:[00000030h]	4_2_3594F32A
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]	4_2_35919353
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]	4_2_35919353
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]	4_2_3591D34C
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5341 mov eax, dword ptr fs:[00000030h]	4_2_359F5341
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]	4_2_35927370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359C3370 mov eax, dword ptr fs:[00000030h]	4_2_359C3370
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF367 mov eax, dword ptr fs:[00000030h]	4_2_359DF367
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]	4_2_3595329E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]	4_2_3595329E
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5283 mov eax, dword ptr fs:[00000030h]	4_2_359F5283
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]	4_2_359A92BC
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]	4_2_359352A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]	4_2_359E92A6
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]	4_2_359B72A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]	4_2_359B72A0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3591B2D3
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3594F2D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3594F2D0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3594B2C0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]	4_2_359292C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]	4_2_359292C5
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DF2F8 mov eax, dword ptr fs:[00000030h]	4_2_359DF2F8
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]	4_2_359CB2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]	4_2_359CB2F0
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359192FF mov eax, dword ptr fs:[00000030h]	4_2_359192FF
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]	4_2_359D12ED
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F52E2 mov eax, dword ptr fs:[00000030h]	4_2_359F52E2
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]	4_2_35957208
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]	4_2_35957208
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359F5227 mov eax, dword ptr fs:[00000030h]	4_2_359F5227
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]	4_2_359DB256
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]	4_2_359DB256
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]	4_2_35919240
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]	4_2_35919240
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_3595724D mov eax, dword ptr fs:[00000030h]	4_2_3595724D
Source: C:\Users\user\Desktop\450707124374000811.exe	Code function: 4_2_35949274 mov eax, dword ptr fs:[00000030h]	4_2_35949274

Source: C:\Users\user\Desktop\450707124374000811.exe

0_2_00403373

ID:	1538185
Product:	CloudBasic
Start time:	19:07:08
Start date:	20.10.2024
Sample:	450707124374000811.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	22aeab62009aaa9073b3159d7da1195e
SHA1:	602dd47b6910a522be90fc47d10d5c26a836a01a
SHA256:	1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9625D5B1754BC4FF29281D415D27A0FD	80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0	C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Canton.Chr	data	D60DE2837DB415CC4F66B85247B99A5B	7C46A763764028D65B812909021A647305772AB0	3105B5A8590A4AEE190FFAAF4C84D09B123F08DD1B6F34677BBF1BB69AECC716
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Grundfladernes.Qua	data	12629C74AA6BCA8746FD8DB17EE09A8F	A0EECC9D844403FE34CB19B19AB2CE32202B77F3	209451B54F4D28E90AE8D1B6A073C1234236CCEE38870399027001F5E9E38908
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\img-1.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3	8C0739994C90303B65A05C6909A53B62	E43239AF385F8DED6EA2098D2A71A2AC9519E32B	7E1835782673A877C8A4FF9A4E9E88A23D8FA54077B6E7E1D70FBDE5F3A9D66B
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nannie.tek	data	562A26D4A57C23D2AE8BD4DECE37E771	A9830E759E670EB8D4EFC5320A112E44ECB389BA	EDF2898EFF5E72AA11993272EB941C1CD992BB6243E4D2F5940BD88EDF9117CD
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nonpendency.age	data	511E6E568EBCF13D5098054630C627AA	1B5AFC7023C138219737E23B00121C359BF8443F	204A44F0D3C3B63E36B3A4865C029552CCD8AC1EAD3507456BEC7886D724BA54
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\rimsmeds.txt	ASCII text, with CRLF line terminators	5D2F45598C5DAD8A461CECDA82CA550E	D594FFDAE11463E5E35170D27C611182F16E038C	65D3114548018688712A3B735E3B9BA63C2261A5DA9B6505D43378DE5E351B87
C:\Users\user\AppData\Roaming\pechay\transskribere\jon\skreddene.spo	data	4ECFFF116FE03C56DAD5B0EAE0279D00	18525703697F059B03F7A1F093317E62BAD43004	593BF06B816C8CACBA83C6CCECD0C3F0F164C4D9CC7F9B4EA7BF2EA2F0CD7906

Windows Analysis Report
450707124374000811.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 450707124374000811.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
450707124374000811.exe

Malware Threat Intel
Provided by