Analysis Report Order 122001-220 guanzo.exe

AV Detection:

Found malware configuration

Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjengineering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}

Multi AV Scanner detection for submitted file

Source: Order 122001-220 guanzo.exe	Virustotal: Detection: 62%			Perma Link
Source: Order 122001-220 guanzo.exe	Metadefender: Detection: 32%			Perma Link
Source: Order 122001-220 guanzo.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Order 122001-220 guanzo.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Order 122001-220 guanzo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order 122001-220 guanzo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order 122001-220 guanzo.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 4x nop then pop esi		1_2_00415838
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop esi		3_2_00855838

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.uuoouu-90.store/meub/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre HTTP/1.1Host: www.comicstattoosnguns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goeseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj HTTP/1.1Host: www.thefrankversion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA HTTP/1.1Host: www.tjanyancha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj HTTP/1.1Host: www.dmowang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj HTTP/1.1Host: www.pocopage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goodcreditcardshome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox HTTP/1.1Host: www.pasteleriaruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj HTTP/1.1Host: www.amesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.117.216 198.54.117.216

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre HTTP/1.1Host: www.comicstattoosnguns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goeseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj HTTP/1.1Host: www.thefrankversion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA HTTP/1.1Host: www.tjanyancha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj HTTP/1.1Host: www.dmowang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj HTTP/1.1Host: www.pocopage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goodcreditcardshome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox HTTP/1.1Host: www.pasteleriaruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj HTTP/1.1Host: www.amesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.paperplaneexplorer.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 08:51:24 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei

URLs found in memory or binary data

Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672299597.0000000002541000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000002.932522691.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmp	String found in binary or memory: https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5
Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmp	String found in binary or memory: https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7S

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 122001-220 guanzo.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_004181C0 NtCreateFile,		1_2_004181C0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00418270 NtReadFile,		1_2_00418270
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_004182F0 NtClose,		1_2_004182F0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,		1_2_004183A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_004181BC NtCreateFile,		1_2_004181BC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041826A NtReadFile,		1_2_0041826A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_004182EC NtClose,		1_2_004182EC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041839B NtAllocateVirtualMemory,		1_2_0041839B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019299A0 NtCreateSection,LdrInitializeThunk,		1_2_019299A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019295D0 NtClose,LdrInitializeThunk,		1_2_019295D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_01929910
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929540 NtReadFile,LdrInitializeThunk,		1_2_01929540
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_019298F0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929840 NtDelayExecution,LdrInitializeThunk,		1_2_01929840
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_01929860
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929780 NtMapViewOfSection,LdrInitializeThunk,		1_2_01929780
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_019297A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929FE0 NtCreateMutant,LdrInitializeThunk,		1_2_01929FE0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929710 NtQueryInformationToken,LdrInitializeThunk,		1_2_01929710
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_019296E0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_01929A00
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929A20 NtResumeThread,LdrInitializeThunk,		1_2_01929A20
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929A50 NtCreateFile,LdrInitializeThunk,		1_2_01929A50
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_01929660
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019299D0 NtCreateProcessEx,		1_2_019299D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019295F0 NtQueryInformationFile,		1_2_019295F0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192AD30 NtSetContextThread,		1_2_0192AD30
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929520 NtWaitForSingleObject,		1_2_01929520
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929950 NtQueueApcThread,		1_2_01929950
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929560 NtWriteFile,		1_2_01929560
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019298A0 NtWriteVirtualMemory,		1_2_019298A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929820 NtEnumerateKey,		1_2_01929820
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192B040 NtSuspendThread,		1_2_0192B040
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192A3B0 NtGetContextThread,		1_2_0192A3B0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192A710 NtOpenProcessToken,		1_2_0192A710
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929B00 NtSetValueKey,		1_2_01929B00
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929730 NtQueryVirtualMemory,		1_2_01929730
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929770 NtSetInformationFile,		1_2_01929770
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192A770 NtOpenThread,		1_2_0192A770
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929760 NtOpenProcess,		1_2_01929760
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929A80 NtOpenDirectoryObject,		1_2_01929A80
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019296D0 NtCreateKey,		1_2_019296D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929610 NtEnumerateValueKey,		1_2_01929610
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929A10 NtQuerySection,		1_2_01929A10
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929650 NtQueryValueKey,		1_2_01929650
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01929670 NtQueryInformationProcess,		1_2_01929670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19860 NtQuerySystemInformation,LdrInitializeThunk,		3_2_04B19860
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19840 NtDelayExecution,LdrInitializeThunk,		3_2_04B19840
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B199A0 NtCreateSection,LdrInitializeThunk,		3_2_04B199A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B195D0 NtClose,LdrInitializeThunk,		3_2_04B195D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,		3_2_04B19910
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19540 NtReadFile,LdrInitializeThunk,		3_2_04B19540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B196E0 NtFreeVirtualMemory,LdrInitializeThunk,		3_2_04B196E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B196D0 NtCreateKey,LdrInitializeThunk,		3_2_04B196D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19660 NtAllocateVirtualMemory,LdrInitializeThunk,		3_2_04B19660
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19650 NtQueryValueKey,LdrInitializeThunk,		3_2_04B19650
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19A50 NtCreateFile,LdrInitializeThunk,		3_2_04B19A50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19780 NtMapViewOfSection,LdrInitializeThunk,		3_2_04B19780
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19FE0 NtCreateMutant,LdrInitializeThunk,		3_2_04B19FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19710 NtQueryInformationToken,LdrInitializeThunk,		3_2_04B19710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B198A0 NtWriteVirtualMemory,		3_2_04B198A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B198F0 NtReadVirtualMemory,		3_2_04B198F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19820 NtEnumerateKey,		3_2_04B19820
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1B040 NtSuspendThread,		3_2_04B1B040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B195F0 NtQueryInformationFile,		3_2_04B195F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B199D0 NtCreateProcessEx,		3_2_04B199D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1AD30 NtSetContextThread,		3_2_04B1AD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19520 NtWaitForSingleObject,		3_2_04B19520
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19560 NtWriteFile,		3_2_04B19560
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19950 NtQueueApcThread,		3_2_04B19950
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19A80 NtOpenDirectoryObject,		3_2_04B19A80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19A20 NtResumeThread,		3_2_04B19A20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19610 NtEnumerateValueKey,		3_2_04B19610
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19A10 NtQuerySection,		3_2_04B19A10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19A00 NtProtectVirtualMemory,		3_2_04B19A00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19670 NtQueryInformationProcess,		3_2_04B19670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1A3B0 NtGetContextThread,		3_2_04B1A3B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B197A0 NtUnmapViewOfSection,		3_2_04B197A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19730 NtQueryVirtualMemory,		3_2_04B19730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1A710 NtOpenProcessToken,		3_2_04B1A710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19B00 NtSetValueKey,		3_2_04B19B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19770 NtSetInformationFile,		3_2_04B19770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1A770 NtOpenThread,		3_2_04B1A770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B19760 NtOpenProcess,		3_2_04B19760
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_008581C0 NtCreateFile,		3_2_008581C0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_008582F0 NtClose,		3_2_008582F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00858270 NtReadFile,		3_2_00858270
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_008583A0 NtAllocateVirtualMemory,		3_2_008583A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_008581BC NtCreateFile,		3_2_008581BC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_008582EC NtClose,		3_2_008582EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085826A NtReadFile,		3_2_0085826A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085839B NtAllocateVirtualMemory,		3_2_0085839B

Detected potential crypto function

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADBB268		0_2_0ADBB268
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB3AB8		0_2_0ADB3AB8
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB3A60		0_2_0ADB3A60
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB4B70		0_2_0ADB4B70
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB4B61		0_2_0ADB4B61
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB4888		0_2_0ADB4888
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB3440		0_2_0ADB3440
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB0040		0_2_0ADB0040
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB4877		0_2_0ADB4877
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB6C18		0_2_0ADB6C18
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB3411		0_2_0ADB3411
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB6C08		0_2_0ADB6C08
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB0007		0_2_0ADB0007
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB8998		0_2_0ADB8998
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 0_2_0ADB8988		0_2_0ADB8988
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00401027		1_2_00401027
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041C82E		1_2_0041C82E
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041A2A6		1_2_0041A2A6
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041BABD		1_2_0041BABD
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00408C60		1_2_00408C60
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00408C1A		1_2_00408C1A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041B504		1_2_0041B504
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041CE2B		1_2_0041CE2B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00402FB0		1_2_00402FB0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912581		1_2_01912581
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B25DD		1_2_019B25DD
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FD5E0		1_2_018FD5E0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EF900		1_2_018EF900
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B2D07		1_2_019B2D07
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E0D20		1_2_018E0D20
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B1D55		1_2_019B1D55
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FB090		1_2_018FB090
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B20A8		1_2_019B20A8
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F841F		1_2_018F841F
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1002		1_2_019A1002
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191EBB0		1_2_0191EBB0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019ADBD2		1_2_019ADBD2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B1FF1		1_2_019B1FF1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B2B28		1_2_019B2B28
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B22AE		1_2_019B22AE
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B2EF7		1_2_019B2EF7
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01906E30		1_2_01906E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA20A8		3_2_04BA20A8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEB090		3_2_04AEB090
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE841F		3_2_04AE841F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91002		3_2_04B91002
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02581		3_2_04B02581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AED5E0		3_2_04AED5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD0D20		3_2_04AD0D20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADF900		3_2_04ADF900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA2D07		3_2_04BA2D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA1D55		3_2_04BA1D55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA22AE		3_2_04BA22AE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA2EF7		3_2_04BA2EF7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF6E30		3_2_04AF6E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0EBB0		3_2_04B0EBB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA1FF1		3_2_04BA1FF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9DBD2		3_2_04B9DBD2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA2B28		3_2_04BA2B28
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085C82E		3_2_0085C82E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085A2A6		3_2_0085A2A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00848C1A		3_2_00848C1A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00848C60		3_2_00848C60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00842D90		3_2_00842D90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085B504		3_2_0085B504
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085CE2B		3_2_0085CE2B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00842FB0		3_2_00842FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 04ADB150 appears 35 times
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: String function: 018EB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe, 00000000.00000000.663743680.0000000000128000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe, 00000001.00000002.708232981.0000000000F08000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe, 00000001.00000002.709376627.0000000003653000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Order 122001-220 guanzo.exe
Source: Order 122001-220 guanzo.exe	Binary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe

Uses 32bit PE files

Source: Order 122001-220 guanzo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Order 122001-220 guanzo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@13/7

Creates files inside the user directory

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 122001-220 guanzo.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:808:120:WilError_01

PE file has an executable .text section and no other executable section

Source: Order 122001-220 guanzo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: Order 122001-220 guanzo.exe	Virustotal: Detection: 62%
Source: Order 122001-220 guanzo.exe	Metadefender: Detection: 32%
Source: Order 122001-220 guanzo.exe	ReversingLabs: Detection: 65%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Order 122001-220 guanzo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order 122001-220 guanzo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order 122001-220 guanzo.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041B3B5 push eax; ret		1_2_0041B408
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041B46C push eax; ret		1_2_0041B472
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041B402 push eax; ret		1_2_0041B408
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0041B40B push eax; ret		1_2_0041B472
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00414DB2 push ebx; retf		1_2_00414DBB
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_00416ED7 push es; ret		1_2_00416ED8
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0193D0D1 push ecx; ret		1_2_0193D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B2D0D1 push ecx; ret		3_2_04B2D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085B3B5 push eax; ret		3_2_0085B408
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085B402 push eax; ret		3_2_0085B408
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085B40B push eax; ret		3_2_0085B472
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0085B46C push eax; ret		3_2_0085B472
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00854DB2 push ebx; retf		3_2_00854DBB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00856ED7 push es; ret		3_2_00856ED8

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.76742936293

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 122001-220 guanzo.exe PID: 864, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000008485E4 second address: 00000000008485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 000000000084897E second address: 0000000000848984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe TID: 4660	Thread sleep time: -101967s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe TID: 4944	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5588	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 6076	Thread sleep time: -52000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Thread delayed: delay time: 101967			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmp	Binary or memory string: 6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&^
Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.693144077.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.685203487.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.693144077.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000002.939807233.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000002.00000000.693679167.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Code function: 1_2_00409B20 LdrLoadDll,

1_2_00409B20

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912990 mov eax, dword ptr fs:[00000030h]		1_2_01912990
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]		1_2_018E2D8A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]		1_2_018E2D8A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]		1_2_018E2D8A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]		1_2_018E2D8A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]		1_2_018E2D8A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191FD9B mov eax, dword ptr fs:[00000030h]		1_2_0191FD9B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191FD9B mov eax, dword ptr fs:[00000030h]		1_2_0191FD9B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]		1_2_01912581
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]		1_2_01912581
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]		1_2_01912581
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]		1_2_01912581
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190C182 mov eax, dword ptr fs:[00000030h]		1_2_0190C182
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A185 mov eax, dword ptr fs:[00000030h]		1_2_0191A185
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]		1_2_01911DB5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]		1_2_01911DB5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]		1_2_01911DB5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]		1_2_019651BE
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]		1_2_019651BE
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]		1_2_019651BE
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]		1_2_019651BE
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019135A1 mov eax, dword ptr fs:[00000030h]		1_2_019135A1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019669A6 mov eax, dword ptr fs:[00000030h]		1_2_019669A6
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019161A0 mov eax, dword ptr fs:[00000030h]		1_2_019161A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019161A0 mov eax, dword ptr fs:[00000030h]		1_2_019161A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B05AC mov eax, dword ptr fs:[00000030h]		1_2_019B05AC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B05AC mov eax, dword ptr fs:[00000030h]		1_2_019B05AC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov ecx, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]		1_2_01966DC9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01998DF1 mov eax, dword ptr fs:[00000030h]		1_2_01998DF1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]		1_2_018EB1E1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]		1_2_018EB1E1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]		1_2_018EB1E1
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FD5E0 mov eax, dword ptr fs:[00000030h]		1_2_018FD5E0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FD5E0 mov eax, dword ptr fs:[00000030h]		1_2_018FD5E0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]		1_2_019AFDE2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]		1_2_019AFDE2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]		1_2_019AFDE2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]		1_2_019AFDE2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019741E8 mov eax, dword ptr fs:[00000030h]		1_2_019741E8
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]		1_2_018E9100
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]		1_2_018E9100
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]		1_2_018E9100
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0196A537 mov eax, dword ptr fs:[00000030h]		1_2_0196A537
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AE539 mov eax, dword ptr fs:[00000030h]		1_2_019AE539
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]		1_2_01914D3B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]		1_2_01914D3B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]		1_2_01914D3B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191513A mov eax, dword ptr fs:[00000030h]		1_2_0191513A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191513A mov eax, dword ptr fs:[00000030h]		1_2_0191513A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8D34 mov eax, dword ptr fs:[00000030h]		1_2_019B8D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01904120 mov ecx, dword ptr fs:[00000030h]		1_2_01904120
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]		1_2_018F3D34
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EAD30 mov eax, dword ptr fs:[00000030h]		1_2_018EAD30
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01907D50 mov eax, dword ptr fs:[00000030h]		1_2_01907D50
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01923D43 mov eax, dword ptr fs:[00000030h]		1_2_01923D43
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190B944 mov eax, dword ptr fs:[00000030h]		1_2_0190B944
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190B944 mov eax, dword ptr fs:[00000030h]		1_2_0190B944
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01963540 mov eax, dword ptr fs:[00000030h]		1_2_01963540
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190C577 mov eax, dword ptr fs:[00000030h]		1_2_0190C577
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190C577 mov eax, dword ptr fs:[00000030h]		1_2_0190C577
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EC962 mov eax, dword ptr fs:[00000030h]		1_2_018EC962
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EB171 mov eax, dword ptr fs:[00000030h]		1_2_018EB171
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EB171 mov eax, dword ptr fs:[00000030h]		1_2_018EB171
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9080 mov eax, dword ptr fs:[00000030h]		1_2_018E9080
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01963884 mov eax, dword ptr fs:[00000030h]		1_2_01963884
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01963884 mov eax, dword ptr fs:[00000030h]		1_2_01963884
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F849B mov eax, dword ptr fs:[00000030h]		1_2_018F849B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191F0BF mov ecx, dword ptr fs:[00000030h]		1_2_0191F0BF
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191F0BF mov eax, dword ptr fs:[00000030h]		1_2_0191F0BF
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191F0BF mov eax, dword ptr fs:[00000030h]		1_2_0191F0BF
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]		1_2_019120A0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019290AF mov eax, dword ptr fs:[00000030h]		1_2_019290AF
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov ecx, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]		1_2_0197B8D0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8CD6 mov eax, dword ptr fs:[00000030h]		1_2_019B8CD6
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A14FB mov eax, dword ptr fs:[00000030h]		1_2_019A14FB
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E58EC mov eax, dword ptr fs:[00000030h]		1_2_018E58EC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]		1_2_01966CF0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]		1_2_01966CF0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]		1_2_01966CF0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]		1_2_01967016
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]		1_2_01967016
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]		1_2_01967016
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B4015 mov eax, dword ptr fs:[00000030h]		1_2_019B4015
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B4015 mov eax, dword ptr fs:[00000030h]		1_2_019B4015
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]		1_2_019B740D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]		1_2_019B740D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]		1_2_019B740D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]		1_2_019A1C06
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]		1_2_01966C0A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]		1_2_01966C0A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]		1_2_01966C0A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]		1_2_01966C0A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]		1_2_018FB02A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]		1_2_018FB02A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]		1_2_018FB02A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]		1_2_018FB02A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]		1_2_0191002D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]		1_2_0191002D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]		1_2_0191002D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]		1_2_0191002D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]		1_2_0191002D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191BC2C mov eax, dword ptr fs:[00000030h]		1_2_0191BC2C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01900050 mov eax, dword ptr fs:[00000030h]		1_2_01900050
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01900050 mov eax, dword ptr fs:[00000030h]		1_2_01900050
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197C450 mov eax, dword ptr fs:[00000030h]		1_2_0197C450
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197C450 mov eax, dword ptr fs:[00000030h]		1_2_0197C450
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A44B mov eax, dword ptr fs:[00000030h]		1_2_0191A44B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A2073 mov eax, dword ptr fs:[00000030h]		1_2_019A2073
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B1074 mov eax, dword ptr fs:[00000030h]		1_2_019B1074
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190746D mov eax, dword ptr fs:[00000030h]		1_2_0190746D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F1B8F mov eax, dword ptr fs:[00000030h]		1_2_018F1B8F
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F1B8F mov eax, dword ptr fs:[00000030h]		1_2_018F1B8F
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191B390 mov eax, dword ptr fs:[00000030h]		1_2_0191B390
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]		1_2_01967794
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]		1_2_01967794
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]		1_2_01967794
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912397 mov eax, dword ptr fs:[00000030h]		1_2_01912397
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A138A mov eax, dword ptr fs:[00000030h]		1_2_019A138A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0199D380 mov ecx, dword ptr fs:[00000030h]		1_2_0199D380
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F8794 mov eax, dword ptr fs:[00000030h]		1_2_018F8794
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]		1_2_01914BAD
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]		1_2_01914BAD
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]		1_2_01914BAD
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B5BA5 mov eax, dword ptr fs:[00000030h]		1_2_019B5BA5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019653CA mov eax, dword ptr fs:[00000030h]		1_2_019653CA
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019653CA mov eax, dword ptr fs:[00000030h]		1_2_019653CA
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019237F5 mov eax, dword ptr fs:[00000030h]		1_2_019237F5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]		1_2_019103E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190DBE9 mov eax, dword ptr fs:[00000030h]		1_2_0190DBE9
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A131B mov eax, dword ptr fs:[00000030h]		1_2_019A131B
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190F716 mov eax, dword ptr fs:[00000030h]		1_2_0190F716
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197FF10 mov eax, dword ptr fs:[00000030h]		1_2_0197FF10
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197FF10 mov eax, dword ptr fs:[00000030h]		1_2_0197FF10
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B070D mov eax, dword ptr fs:[00000030h]		1_2_019B070D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B070D mov eax, dword ptr fs:[00000030h]		1_2_019B070D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A70E mov eax, dword ptr fs:[00000030h]		1_2_0191A70E
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A70E mov eax, dword ptr fs:[00000030h]		1_2_0191A70E
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E4F2E mov eax, dword ptr fs:[00000030h]		1_2_018E4F2E
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E4F2E mov eax, dword ptr fs:[00000030h]		1_2_018E4F2E
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191E730 mov eax, dword ptr fs:[00000030h]		1_2_0191E730
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8B58 mov eax, dword ptr fs:[00000030h]		1_2_019B8B58
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EDB40 mov eax, dword ptr fs:[00000030h]		1_2_018EDB40
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FEF40 mov eax, dword ptr fs:[00000030h]		1_2_018FEF40
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EF358 mov eax, dword ptr fs:[00000030h]		1_2_018EF358
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01913B7A mov eax, dword ptr fs:[00000030h]		1_2_01913B7A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01913B7A mov eax, dword ptr fs:[00000030h]		1_2_01913B7A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EDB60 mov ecx, dword ptr fs:[00000030h]		1_2_018EDB60
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FFF60 mov eax, dword ptr fs:[00000030h]		1_2_018FFF60
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8F6A mov eax, dword ptr fs:[00000030h]		1_2_019B8F6A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191D294 mov eax, dword ptr fs:[00000030h]		1_2_0191D294
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191D294 mov eax, dword ptr fs:[00000030h]		1_2_0191D294
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0197FE87 mov eax, dword ptr fs:[00000030h]		1_2_0197FE87
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191FAB0 mov eax, dword ptr fs:[00000030h]		1_2_0191FAB0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]		1_2_018E52A5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]		1_2_018E52A5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]		1_2_018E52A5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]		1_2_018E52A5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]		1_2_018E52A5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019646A7 mov eax, dword ptr fs:[00000030h]		1_2_019646A7
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]		1_2_019B0EA5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]		1_2_019B0EA5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]		1_2_019B0EA5
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FAAB0 mov eax, dword ptr fs:[00000030h]		1_2_018FAAB0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018FAAB0 mov eax, dword ptr fs:[00000030h]		1_2_018FAAB0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8ED6 mov eax, dword ptr fs:[00000030h]		1_2_019B8ED6
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01928EC7 mov eax, dword ptr fs:[00000030h]		1_2_01928EC7
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0199FEC0 mov eax, dword ptr fs:[00000030h]		1_2_0199FEC0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912ACB mov eax, dword ptr fs:[00000030h]		1_2_01912ACB
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019136CC mov eax, dword ptr fs:[00000030h]		1_2_019136CC
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F76E2 mov eax, dword ptr fs:[00000030h]		1_2_018F76E2
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019116E0 mov ecx, dword ptr fs:[00000030h]		1_2_019116E0
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01912AE4 mov eax, dword ptr fs:[00000030h]		1_2_01912AE4
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F8A0A mov eax, dword ptr fs:[00000030h]		1_2_018F8A0A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01903A1C mov eax, dword ptr fs:[00000030h]		1_2_01903A1C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A61C mov eax, dword ptr fs:[00000030h]		1_2_0191A61C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0191A61C mov eax, dword ptr fs:[00000030h]		1_2_0191A61C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]		1_2_018EC600
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]		1_2_018EC600
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]		1_2_018EC600
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01918E00 mov eax, dword ptr fs:[00000030h]		1_2_01918E00
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019A1608 mov eax, dword ptr fs:[00000030h]		1_2_019A1608
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EAA16 mov eax, dword ptr fs:[00000030h]		1_2_018EAA16
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EAA16 mov eax, dword ptr fs:[00000030h]		1_2_018EAA16
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]		1_2_018E5210
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E5210 mov ecx, dword ptr fs:[00000030h]		1_2_018E5210
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]		1_2_018E5210
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]		1_2_018E5210
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0199FE3F mov eax, dword ptr fs:[00000030h]		1_2_0199FE3F
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018EE620 mov eax, dword ptr fs:[00000030h]		1_2_018EE620
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01924A2C mov eax, dword ptr fs:[00000030h]		1_2_01924A2C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01924A2C mov eax, dword ptr fs:[00000030h]		1_2_01924A2C
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_01974257 mov eax, dword ptr fs:[00000030h]		1_2_01974257
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]		1_2_018E9240
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]		1_2_018E9240
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]		1_2_018E9240
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]		1_2_018E9240
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]		1_2_018F7E41
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AEA55 mov eax, dword ptr fs:[00000030h]		1_2_019AEA55
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AAE44 mov eax, dword ptr fs:[00000030h]		1_2_019AAE44
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019AAE44 mov eax, dword ptr fs:[00000030h]		1_2_019AAE44
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_018F766D mov eax, dword ptr fs:[00000030h]		1_2_018F766D
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]		1_2_0190AE73
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]		1_2_0190AE73
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]		1_2_0190AE73
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]		1_2_0190AE73
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]		1_2_0190AE73
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0192927A mov eax, dword ptr fs:[00000030h]		1_2_0192927A
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0199B260 mov eax, dword ptr fs:[00000030h]		1_2_0199B260
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_0199B260 mov eax, dword ptr fs:[00000030h]		1_2_0199B260
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Code function: 1_2_019B8A62 mov eax, dword ptr fs:[00000030h]		1_2_019B8A62
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0F0BF mov ecx, dword ptr fs:[00000030h]		3_2_04B0F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0F0BF mov eax, dword ptr fs:[00000030h]		3_2_04B0F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0F0BF mov eax, dword ptr fs:[00000030h]		3_2_04B0F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]		3_2_04B020A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B190AF mov eax, dword ptr fs:[00000030h]		3_2_04B190AF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9080 mov eax, dword ptr fs:[00000030h]		3_2_04AD9080
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B53884 mov eax, dword ptr fs:[00000030h]		3_2_04B53884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B53884 mov eax, dword ptr fs:[00000030h]		3_2_04B53884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE849B mov eax, dword ptr fs:[00000030h]		3_2_04AE849B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD58EC mov eax, dword ptr fs:[00000030h]		3_2_04AD58EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B914FB mov eax, dword ptr fs:[00000030h]		3_2_04B914FB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]		3_2_04B56CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]		3_2_04B56CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]		3_2_04B56CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov ecx, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]		3_2_04B6B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA8CD6 mov eax, dword ptr fs:[00000030h]		3_2_04BA8CD6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]		3_2_04AEB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]		3_2_04AEB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]		3_2_04AEB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]		3_2_04AEB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0BC2C mov eax, dword ptr fs:[00000030h]		3_2_04B0BC2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]		3_2_04B0002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]		3_2_04B0002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]		3_2_04B0002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]		3_2_04B0002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]		3_2_04B0002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]		3_2_04B57016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]		3_2_04B57016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]		3_2_04B57016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA4015 mov eax, dword ptr fs:[00000030h]		3_2_04BA4015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA4015 mov eax, dword ptr fs:[00000030h]		3_2_04BA4015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]		3_2_04BA740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]		3_2_04BA740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]		3_2_04BA740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]		3_2_04B91C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]		3_2_04B56C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]		3_2_04B56C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]		3_2_04B56C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]		3_2_04B56C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF746D mov eax, dword ptr fs:[00000030h]		3_2_04AF746D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B92073 mov eax, dword ptr fs:[00000030h]		3_2_04B92073
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA1074 mov eax, dword ptr fs:[00000030h]		3_2_04BA1074
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6C450 mov eax, dword ptr fs:[00000030h]		3_2_04B6C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6C450 mov eax, dword ptr fs:[00000030h]		3_2_04B6C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0A44B mov eax, dword ptr fs:[00000030h]		3_2_04B0A44B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF0050 mov eax, dword ptr fs:[00000030h]		3_2_04AF0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF0050 mov eax, dword ptr fs:[00000030h]		3_2_04AF0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]		3_2_04B01DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]		3_2_04B01DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]		3_2_04B01DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]		3_2_04B551BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]		3_2_04B551BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]		3_2_04B551BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]		3_2_04B551BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B061A0 mov eax, dword ptr fs:[00000030h]		3_2_04B061A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B061A0 mov eax, dword ptr fs:[00000030h]		3_2_04B061A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B035A1 mov eax, dword ptr fs:[00000030h]		3_2_04B035A1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B569A6 mov eax, dword ptr fs:[00000030h]		3_2_04B569A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA05AC mov eax, dword ptr fs:[00000030h]		3_2_04BA05AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA05AC mov eax, dword ptr fs:[00000030h]		3_2_04BA05AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02990 mov eax, dword ptr fs:[00000030h]		3_2_04B02990
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]		3_2_04AD2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]		3_2_04AD2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]		3_2_04AD2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]		3_2_04AD2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]		3_2_04AD2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0FD9B mov eax, dword ptr fs:[00000030h]		3_2_04B0FD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0FD9B mov eax, dword ptr fs:[00000030h]		3_2_04B0FD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFC182 mov eax, dword ptr fs:[00000030h]		3_2_04AFC182
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]		3_2_04B02581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]		3_2_04B02581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]		3_2_04B02581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]		3_2_04B02581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0A185 mov eax, dword ptr fs:[00000030h]		3_2_04B0A185
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B88DF1 mov eax, dword ptr fs:[00000030h]		3_2_04B88DF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]		3_2_04ADB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]		3_2_04ADB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]		3_2_04ADB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AED5E0 mov eax, dword ptr fs:[00000030h]		3_2_04AED5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AED5E0 mov eax, dword ptr fs:[00000030h]		3_2_04AED5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]		3_2_04B9FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]		3_2_04B9FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]		3_2_04B9FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]		3_2_04B9FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B641E8 mov eax, dword ptr fs:[00000030h]		3_2_04B641E8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov ecx, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]		3_2_04B56DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9E539 mov eax, dword ptr fs:[00000030h]		3_2_04B9E539
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B5A537 mov eax, dword ptr fs:[00000030h]		3_2_04B5A537
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0513A mov eax, dword ptr fs:[00000030h]		3_2_04B0513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0513A mov eax, dword ptr fs:[00000030h]		3_2_04B0513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]		3_2_04B04D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]		3_2_04B04D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]		3_2_04B04D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA8D34 mov eax, dword ptr fs:[00000030h]		3_2_04BA8D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF4120 mov ecx, dword ptr fs:[00000030h]		3_2_04AF4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]		3_2_04AE3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADAD30 mov eax, dword ptr fs:[00000030h]		3_2_04ADAD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]		3_2_04AD9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]		3_2_04AD9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]		3_2_04AD9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADC962 mov eax, dword ptr fs:[00000030h]		3_2_04ADC962
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFC577 mov eax, dword ptr fs:[00000030h]		3_2_04AFC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFC577 mov eax, dword ptr fs:[00000030h]		3_2_04AFC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADB171 mov eax, dword ptr fs:[00000030h]		3_2_04ADB171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADB171 mov eax, dword ptr fs:[00000030h]		3_2_04ADB171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFB944 mov eax, dword ptr fs:[00000030h]		3_2_04AFB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFB944 mov eax, dword ptr fs:[00000030h]		3_2_04AFB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B13D43 mov eax, dword ptr fs:[00000030h]		3_2_04B13D43
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B53540 mov eax, dword ptr fs:[00000030h]		3_2_04B53540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF7D50 mov eax, dword ptr fs:[00000030h]		3_2_04AF7D50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0FAB0 mov eax, dword ptr fs:[00000030h]		3_2_04B0FAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]		3_2_04AD52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]		3_2_04AD52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]		3_2_04AD52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]		3_2_04AD52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]		3_2_04AD52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B546A7 mov eax, dword ptr fs:[00000030h]		3_2_04B546A7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEAAB0 mov eax, dword ptr fs:[00000030h]		3_2_04AEAAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AEAAB0 mov eax, dword ptr fs:[00000030h]		3_2_04AEAAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]		3_2_04BA0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]		3_2_04BA0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]		3_2_04BA0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0D294 mov eax, dword ptr fs:[00000030h]		3_2_04B0D294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0D294 mov eax, dword ptr fs:[00000030h]		3_2_04B0D294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B6FE87 mov eax, dword ptr fs:[00000030h]		3_2_04B6FE87
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE76E2 mov eax, dword ptr fs:[00000030h]		3_2_04AE76E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B016E0 mov ecx, dword ptr fs:[00000030h]		3_2_04B016E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02AE4 mov eax, dword ptr fs:[00000030h]		3_2_04B02AE4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA8ED6 mov eax, dword ptr fs:[00000030h]		3_2_04BA8ED6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B18EC7 mov eax, dword ptr fs:[00000030h]		3_2_04B18EC7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B8FEC0 mov eax, dword ptr fs:[00000030h]		3_2_04B8FEC0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02ACB mov eax, dword ptr fs:[00000030h]		3_2_04B02ACB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B036CC mov eax, dword ptr fs:[00000030h]		3_2_04B036CC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B8FE3F mov eax, dword ptr fs:[00000030h]		3_2_04B8FE3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADE620 mov eax, dword ptr fs:[00000030h]		3_2_04ADE620
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B14A2C mov eax, dword ptr fs:[00000030h]		3_2_04B14A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B14A2C mov eax, dword ptr fs:[00000030h]		3_2_04B14A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE8A0A mov eax, dword ptr fs:[00000030h]		3_2_04AE8A0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0A61C mov eax, dword ptr fs:[00000030h]		3_2_04B0A61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0A61C mov eax, dword ptr fs:[00000030h]		3_2_04B0A61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]		3_2_04ADC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]		3_2_04ADC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]		3_2_04ADC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B08E00 mov eax, dword ptr fs:[00000030h]		3_2_04B08E00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B91608 mov eax, dword ptr fs:[00000030h]		3_2_04B91608
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AF3A1C mov eax, dword ptr fs:[00000030h]		3_2_04AF3A1C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADAA16 mov eax, dword ptr fs:[00000030h]		3_2_04ADAA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04ADAA16 mov eax, dword ptr fs:[00000030h]		3_2_04ADAA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]		3_2_04AD5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD5210 mov ecx, dword ptr fs:[00000030h]		3_2_04AD5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]		3_2_04AD5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]		3_2_04AD5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE766D mov eax, dword ptr fs:[00000030h]		3_2_04AE766D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B1927A mov eax, dword ptr fs:[00000030h]		3_2_04B1927A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B8B260 mov eax, dword ptr fs:[00000030h]		3_2_04B8B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B8B260 mov eax, dword ptr fs:[00000030h]		3_2_04B8B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA8A62 mov eax, dword ptr fs:[00000030h]		3_2_04BA8A62
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]		3_2_04AFAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]		3_2_04AFAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]		3_2_04AFAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]		3_2_04AFAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]		3_2_04AFAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B64257 mov eax, dword ptr fs:[00000030h]		3_2_04B64257
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9EA55 mov eax, dword ptr fs:[00000030h]		3_2_04B9EA55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]		3_2_04AD9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]		3_2_04AD9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]		3_2_04AD9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]		3_2_04AD9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]		3_2_04AE7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9AE44 mov eax, dword ptr fs:[00000030h]		3_2_04B9AE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9AE44 mov eax, dword ptr fs:[00000030h]		3_2_04B9AE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]		3_2_04B04BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]		3_2_04B04BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]		3_2_04B04BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04BA5BA5 mov eax, dword ptr fs:[00000030h]		3_2_04BA5BA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B0B390 mov eax, dword ptr fs:[00000030h]		3_2_04B0B390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE1B8F mov eax, dword ptr fs:[00000030h]		3_2_04AE1B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE1B8F mov eax, dword ptr fs:[00000030h]		3_2_04AE1B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]		3_2_04B57794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]		3_2_04B57794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]		3_2_04B57794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B02397 mov eax, dword ptr fs:[00000030h]		3_2_04B02397
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B9138A mov eax, dword ptr fs:[00000030h]		3_2_04B9138A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B8D380 mov ecx, dword ptr fs:[00000030h]		3_2_04B8D380
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AE8794 mov eax, dword ptr fs:[00000030h]		3_2_04AE8794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04B137F5 mov eax, dword ptr fs:[00000030h]		3_2_04B137F5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_04AFDBE9 mov eax, dword ptr fs:[00000030h]		3_2_04AFDBE9

Enables debug privileges

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.shadyshainarae.com
Source: C:\Windows\explorer.exe	Domain query: www.xn--80aasvjfhla.xn--p1acf
Source: C:\Windows\explorer.exe	Network Connect: 107.164.93.172 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tjanyancha.com
Source: C:\Windows\explorer.exe	Network Connect: 162.241.62.63 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.pocopage.com
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.130 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.goodcreditcardshome.info
Source: C:\Windows\explorer.exe	Domain query: www.paperplaneexplorer.com
Source: C:\Windows\explorer.exe	Domain query: www.usapersonalshopper.com
Source: C:\Windows\explorer.exe	Network Connect: 104.164.26.246 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dmowang.com
Source: C:\Windows\explorer.exe	Domain query: www.comicstattoosnguns.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.219.49.238 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thefrankversion.com
Source: C:\Windows\explorer.exe	Domain query: www.pasteleriaruth.com
Source: C:\Windows\explorer.exe	Domain query: www.goeseo.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Memory written: C:\Users\user\Desktop\Order 122001-220 guanzo.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 9D0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Process created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000002.00000002.931217061.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Users\user\Desktop\Order 122001-220 guanzo.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE