Loading ...

Play interactive tourEdit tour

Analysis Report 2eD17GZuWs.exe

Overview

General Information

Sample Name:2eD17GZuWs.exe
Analysis ID:320425
MD5:c05eee88f0b57e853996957d6523397b
SHA1:fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
SHA256:7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2eD17GZuWs.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
    • 2eD17GZuWs.exe (PID: 2936 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • msiexec.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6244 cmdline: /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x22bc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x2970:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    Click to see the 12 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi13_2_01117295
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi13_2_011172A5

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49756 -> 103.125.191.5:80
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: 2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/
    Source: 2eD17GZuWs.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
    Source: 2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: 2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://in_xMjelaYnr43.bin

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5A6C NtProtectVirtualMemory,0_2_021D5A6C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread,TerminateProcess,CreateFileA,0_2_021D06B1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5336 NtSetInformationThread,LoadLibraryA,0_2_021D5336
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D232A NtWriteVirtualMemory,0_2_021D232A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5F9F NtResumeThread,0_2_021D5F9F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D078C NtWriteVirtualMemory,TerminateProcess,0_2_021D078C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B EnumWindows,NtSetInformationThread,0_2_021D044B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,0_2_021D54F4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D260D NtWriteVirtualMemory,0_2_021D260D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6239 NtResumeThread,0_2_021D6239
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D62C5 NtResumeThread,0_2_021D62C5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2705 NtWriteVirtualMemory,0_2_021D2705
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6325 NtResumeThread,0_2_021D6325
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0F7D NtWriteVirtualMemory,0_2_021D0F7D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D276A NtWriteVirtualMemory,0_2_021D276A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D23D5 NtWriteVirtualMemory,0_2_021D23D5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FC1 NtResumeThread,0_2_021D5FC1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D47EF NtSetInformationThread,0_2_021D47EF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FE5 NtResumeThread,0_2_021D5FE5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6015 NtResumeThread,0_2_021D6015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6039 NtResumeThread,0_2_021D6039
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5435 NtWriteVirtualMemory,0_2_021D5435
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2455 NtWriteVirtualMemory,0_2_021D2455
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6089 NtResumeThread,0_2_021D6089
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D24BD NtWriteVirtualMemory,0_2_021D24BD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04B2 NtSetInformationThread,0_2_021D04B2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D60D1 NtResumeThread,0_2_021D60D1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04CD NtSetInformationThread,0_2_021D04CD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0516 NtSetInformationThread,0_2_021D0516
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6106 NtResumeThread,0_2_021D6106
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0537 NtSetInformationThread,0_2_021D0537
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2531 NtWriteVirtualMemory,0_2_021D2531
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D059D NtSetInformationThread,0_2_021D059D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D05D9 NtSetInformationThread,0_2_021D05D9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D61ED NtResumeThread,0_2_021D61ED
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E189660
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E1896E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E189710
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E189780
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E1897A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189540 NtReadFile,LdrInitializeThunk,1_2_1E189540
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895D0 NtClose,LdrInitializeThunk,1_2_1E1895D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E189A00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A20 NtResumeThread,LdrInitializeThunk,1_2_1E189A20
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A50 NtCreateFile,LdrInitializeThunk,1_2_1E189A50
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189840 NtDelayExecution,LdrInitializeThunk,1_2_1E189840
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E189860
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E1898F0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E189910
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899A0 NtCreateSection,LdrInitializeThunk,1_2_1E1899A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189610 NtEnumerateValueKey,1_2_1E189610
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189650 NtQueryValueKey,1_2_1E189650
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189670 NtQueryInformationProcess,1_2_1E189670
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896D0 NtCreateKey,1_2_1E1896D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A710 NtOpenProcessToken,1_2_1E18A710
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189730 NtQueryVirtualMemory,1_2_1E189730
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A770 NtOpenThread,1_2_1E18A770
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189770 NtSetInformationFile,1_2_1E189770
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189760 NtOpenProcess,1_2_1E189760
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189FE0 NtCreateMutant,1_2_1E189FE0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18AD30 NtSetContextThread,1_2_1E18AD30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189520 NtWaitForSingleObject,1_2_1E189520
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189560 NtWriteFile,1_2_1E189560
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895F0 NtQueryInformationFile,1_2_1E1895F0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A10 NtQuerySection,1_2_1E189A10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A80 NtOpenDirectoryObject,1_2_1E189A80
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189B00 NtSetValueKey,1_2_1E189B00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A3B0 NtGetContextThread,1_2_1E18A3B0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189820 NtEnumerateKey,1_2_1E189820
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18B040 NtSuspendThread,1_2_1E18B040
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898A0 NtWriteVirtualMemory,1_2_1E1898A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189950 NtQueueApcThread,1_2_1E189950
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899D0 NtCreateProcessEx,1_2_1E1899D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565A6C NtProtectVirtualMemory,1_2_00565A6C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565F9F NtSetInformationThread,1_2_00565F9F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566015 NtSetInformationThread,1_2_00566015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566039 NtSetInformationThread,1_2_00566039
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005660D1 NtSetInformationThread,1_2_005660D1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566089 NtSetInformationThread,1_2_00566089
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566106 NtSetInformationThread,1_2_00566106
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005661ED NtSetInformationThread,1_2_005661ED
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566239 NtSetInformationThread,1_2_00566239
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005662C5 NtSetInformationThread,1_2_005662C5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566325 NtSetInformationThread,1_2_00566325
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FC1 NtSetInformationThread,1_2_00565FC1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FE5 NtSetInformationThread,1_2_00565FE5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119540 NtReadFile,LdrInitializeThunk,13_2_05119540
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195D0 NtClose,LdrInitializeThunk,13_2_051195D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119FE0 NtCreateMutant,LdrInitializeThunk,13_2_05119FE0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_05119660
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_051196E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_05119910
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119860 NtQuerySystemInformation,LdrInitializeThunk,13_2_05119860
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A50 NtCreateFile,LdrInitializeThunk,13_2_05119A50
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511AD30 NtSetContextThread,13_2_0511AD30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119520 NtWaitForSingleObject,13_2_05119520
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119560 NtWriteFile,13_2_05119560
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195F0 NtQueryInformationFile,13_2_051195F0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A710 NtOpenProcessToken,13_2_0511A710
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119710 NtQueryInformationToken,13_2_05119710
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119730 NtQueryVirtualMemory,13_2_05119730
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A770 NtOpenThread,13_2_0511A770
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119770 NtSetInformationFile,13_2_05119770
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119760 NtOpenProcess,13_2_05119760
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119780 NtMapViewOfSection,13_2_05119780
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051197A0 NtUnmapViewOfSection,13_2_051197A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119610 NtEnumerateValueKey,13_2_05119610
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119650 NtQueryValueKey,13_2_05119650
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119670 NtQueryInformationProcess,13_2_05119670
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196D0 NtCreateKey,13_2_051196D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119950 NtQueueApcThread,13_2_05119950
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199A0 NtCreateSection,13_2_051199A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199D0 NtCreateProcessEx,13_2_051199D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119820 NtEnumerateKey,13_2_05119820
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511B040 NtSuspendThread,13_2_0511B040
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119840 NtDelayExecution,13_2_05119840
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198A0 NtWriteVirtualMemory,13_2_051198A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198F0 NtReadVirtualMemory,13_2_051198F0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119B00 NtSetValueKey,13_2_05119B00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A3B0 NtGetContextThread,13_2_0511A3B0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A10 NtQuerySection,13_2_05119A10
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A00 NtProtectVirtualMemory,13_2_05119A00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A20 NtResumeThread,13_2_05119A20
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A80 NtOpenDirectoryObject,13_2_05119A80
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D50 NtCreateFile,13_2_01119D50
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F30 NtAllocateVirtualMemory,13_2_01119F30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E00 NtReadFile,13_2_01119E00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E80 NtClose,13_2_01119E80
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D4B NtCreateFile,13_2_01119D4B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DA4 NtCreateFile,13_2_01119DA4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DFE NtReadFile,13_2_01119DFE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F2B NtAllocateVirtualMemory,13_2_01119F2B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E7A NtClose,13_2_01119E7A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004038580_2_00403858
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004012180_2_00401218
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403C2E0_2_00403C2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A590_2_00403A59
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403AEE0_2_00403AEE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A870_2_00403A87
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B490_2_00403B49
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B130_2_00403B13
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E166E301_2_1E166E30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D6161_2_1E20D616
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212EF71_2_1E212EF7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211FF11_2_1E211FF1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21DFCE1_2_1E21DFCE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15841F1_2_1E15841F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D4661_2_1E20D466
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212D071_2_1E212D07
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E140D201_2_1E140D20
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211D551_2_1E211D55
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1725811_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E01_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2125DD1_2_1E2125DD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFA2B1_2_1E1FFA2B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2122AE1_2_1E2122AE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212B281_2_1E212B28
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AB401_2_1E16AB40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17EBB01_2_1E17EBB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20DBD21_2_1E20DBD2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2003DA1_2_1E2003DA
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21E8241_2_1E21E824
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2010021_2_1E201002
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A8301_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B0901_2_1E15B090
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2120A81_2_1E2120A8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A01_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2128EC1_2_1E2128EC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14F9001_2_1E14F900
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1641201_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF1_2_1E1699BF
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2D0713_2_051A2D07
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D0D2013_2_050D0D20
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1D5513_2_051A1D55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510258113_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A25DD13_2_051A25DD
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E013_2_050ED5E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E841F13_2_050E841F
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D46613_2_0519D466
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051ADFCE13_2_051ADFCE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1FF113_2_051A1FF1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D61613_2_0519D616
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F6E3013_2_050F6E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2EF713_2_051A2EF7
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DF90013_2_050DF900
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F412013_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519100213_2_05191002
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051AE82413_2_051AE824
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB09013_2_050EB090
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051020A013_2_051020A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A20A813_2_051A20A8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A28EC13_2_051A28EC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2B2813_2_051A2B28
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510EBB013_2_0510EBB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051903DA13_2_051903DA
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519DBD213_2_0519DBD2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A22AE13_2_051A22AE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102D9013_2_01102D90
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111E5ED13_2_0111E5ED
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DF6E13_2_0111DF6E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF9313_2_0111CF93
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111D78113_2_0111D781
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102FB013_2_01102FB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E3013_2_01109E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E2C13_2_01109E2C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DE5513_2_0111DE55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 050DB150 appears 45 times
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: String function: 1E14B150 appears 66 times
    Source: 2eD17GZuWs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 2eD17GZuWs.exe, 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000000.00000002.691998474.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.933965294.000000001E3CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.928375557.00000000008D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000000.690796127.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exeBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
    Source: 2eD17GZuWs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'Jump to behavior
    Source: Binary string: msiexec.pdb source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp
    Source: Binary string: msiexec.pdbGCTL source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: 2eD17GZuWs.exe, 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, msiexec.exe, 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: 2eD17GZuWs.exe, msiexec.exe
    Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Yara detected VB6 Downloader GenericShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040984F push ecx; retf 0_2_004098B0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D50 push edi; ret 0_2_00409D5D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D55 push edi; ret 0_2_00409D5D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406910 pushad ; iretd 0_2_00406914
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004069F5 push EF15CAC2h; ret 0_2_00406A05
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040759B push FFFFFFC6h; ret 0_2_004075A2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406653 pushad ; iretd 0_2_00406654
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406A98 pushfd ; ret 0_2_00406A9A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004082AF push FFFFFFDAh; ret 0_2_004082B2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040A3DA push ecx; retf 0_2_0040A3DC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FAA push esp; ret 0_2_00407FB1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FB3 push ecx; retf 0_2_00407FBC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E19D0D1 push ecx; ret 1_2_1E19D0E4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0512D0D1 push ecx; ret 13_2_0512D0E4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_011169BB push esi; ret 13_2_011169BC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0110AB07 push ds; retf 13_2_0110AB09
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF5C push eax; ret 13_2_0111CF62
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01114E05 push ss; retf 13_2_01114E06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEA5 push eax; ret 13_2_0111CEF8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEF2 push eax; ret 13_2_0111CEF8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEFB push eax; ret 13_2_0111CF62
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: 2eD17GZuWs.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F13 second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA87CD1247Ch 0x0000001c call 00007FA87CD1244Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4FA0 second address: 00000000021D4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CD1284Dh 0x0000001f popad 0x00000020 call 00007FA87CD12521h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000564FA0 second address: 0000000000564FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CCF94CDh 0x0000001f popad 0x00000020 call 00007FA87CCF91A1h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000011098E4 second address: 00000000011098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000001109B4E second address: 0000000001109B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc 0_2_021D044B
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.894315754.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: 2eD17GZuWs.exe, 00000001.00000003.927010291.0000000000948000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 0000000A.00000002.940809736.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
    Source: 2eD17GZuWs.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Contains functionality to hide a thread from the debuggerShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,000000000_2_021D06B1
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc 0_2_021D044B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D3746 LdrInitializeThunk,0_2_021D3746
    <
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 mov eax, dword ptr fs:[00000030h]0_2_021D54F4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1E09 mov eax, dword ptr fs:[00000030h]0_2_021D1E09
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1721 mov eax, dword ptr fs:[00000030h]0_2_021D1721
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1C16 mov eax, dword ptr fs:[00000030h]0_2_021D1C16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4802 mov eax, dword ptr fs:[00000030h]0_2_021D4802
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4CBB mov eax, dword ptr fs:[00000030h]0_2_021D4CBB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5531 mov eax, dword ptr fs:[00000030h]0_2_021D5531
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D29C8 mov eax, dword ptr fs:[00000030h]0_2_021D29C8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E178E00 mov eax, dword ptr fs:[00000030h]1_2_1E178E00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]1_2_1E1FFE3F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201608 mov eax, dword ptr fs:[00000030h]1_2_1E201608
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14E620 mov eax, dword ptr fs:[00000030h]1_2_1E14E620
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15766D mov eax, dword ptr fs:[00000030h]1_2_1E15766D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]1_2_1E1DFE87
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]1_2_1E1C46A7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1736CC mov eax, dword ptr fs:[00000030h]1_2_1E1736CC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]1_2_1E1FFEC0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E188EC7 mov eax, dword ptr fs:[00000030h]1_2_1E188EC7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218ED6 mov eax, dword ptr fs:[00000030h]1_2_1E218ED6
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]1_2_1E1716E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1576E2 mov eax, dword ptr fs:[00000030h]1_2_1E1576E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16F716 mov eax, dword ptr fs:[00000030h]1_2_1E16F716
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17E730 mov eax, dword ptr fs:[00000030h]1_2_1E17E730
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218F6A mov eax, dword ptr fs:[00000030h]1_2_1E218F6A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15EF40 mov eax, dword ptr fs:[00000030h]1_2_1E15EF40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15FF60 mov eax, dword ptr fs:[00000030h]1_2_1E15FF60
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158794 mov eax, dword ptr fs:[00000030h]1_2_1E158794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1837F5 mov eax, dword ptr fs:[00000030h]1_2_1E1837F5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17BC2C mov eax, dword ptr fs:[00000030h]1_2_1E17BC2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]1_2_1E1DC450
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]1_2_1E1DC450
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A44B mov eax, dword ptr fs:[00000030h]1_2_1E17A44B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16746D mov eax, dword ptr fs:[00000030h]1_2_1E16746D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15849B mov eax, dword ptr fs:[00000030h]1_2_1E15849B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2014FB mov eax, dword ptr fs:[00000030h]1_2_1E2014FB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218CD6 mov eax, dword ptr fs:[00000030h]1_2_1E218CD6
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218D34 mov eax, dword ptr fs:[00000030h]1_2_1E218D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20E539 mov eax, dword ptr fs:[00000030h]1_2_1E20E539
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AD30 mov eax, dword ptr fs:[00000030h]1_2_1E14AD30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1CA537 mov eax, dword ptr fs:[00000030h]1_2_1E1CA537
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E167D50 mov eax, dword ptr fs:[00000030h]1_2_1E167D50
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E183D43 mov eax, dword ptr fs:[00000030h]1_2_1E183D43
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3540 mov eax, dword ptr fs:[00000030h]1_2_1E1C3540
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F3D40 mov eax, dword ptr fs:[00000030h]1_2_1E1F3D40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]1_2_1E16C577
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]1_2_1E16C577
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]1_2_1E17FD9B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]1_2_1E17FD9B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]1_2_1E2105AC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]1_2_1E2105AC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1735A1 mov eax, dword ptr fs:[00000030h]1_2_1E1735A1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov ecx, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h]1_2_1E1F8DF1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]1_2_1E14AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]1_2_1E14AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov ecx, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E163A1C mov eax, dword ptr fs:[00000030h]1_2_1E163A1C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158A0A mov eax, dword ptr fs:[00000030h]1_2_1E158A0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]1_2_1E184A2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]1_2_1E184A2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]1_2_1E20AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]1_2_1E20AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229