Analysis Report dwg.exe

AV Detection:

Multi AV Scanner detection for submitted file

Source: dwg.exe

ReversingLabs: Detection: 27%

Yara detected FormBook

Source: Yara match	File source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 13.2.rundll32.exe.4927960.5.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.rundll32.exe.6843e8.1.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: dwg.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop ebx		13_2_00196A99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi		13_2_001A62C9

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49716 -> 45.153.203.33:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.0.78.25 192.0.78.25

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33
Source: unknown	TCP traffic detected without corresponding DNS query: 45.153.203.33

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.buytgp.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Feb 2021 14:35:24 GMTContent-Type: text/htmlContent-Length: 793Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta n

Urls found in memory or binary data

Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmp	String found in binary or memory: http://45.153.203.33/
Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmp	String found in binary or memory: http://45.153.203.33/53321935-2125563209-4053062332-1002
Source: dwg.exe	String found in binary or memory: http://45.153.203.33/mb.bin
Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmp	String found in binary or memory: http://45.153.203.33/mb.binI;
Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmp	String found in binary or memory: http://45.153.203.33/mb.bintSkm
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.123-reg-new-domain.co.uk/iframe.html
Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216329B NtSetInformationThread,NtWriteVirtualMemory,		0_2_0216329B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216637E NtResumeThread,		0_2_0216637E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216180C NtWriteVirtualMemory,		0_2_0216180C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216056A EnumWindows,NtSetInformationThread,		0_2_0216056A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165DB1 NtProtectVirtualMemory,		0_2_02165DB1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02160602 NtSetInformationThread,		0_2_02160602
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165E08 NtResumeThread,		0_2_02165E08
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162626 NtWriteVirtualMemory,		0_2_02162626
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162698 NtWriteVirtualMemory,		0_2_02162698
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216068A NtSetInformationThread,		0_2_0216068A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165F0B NtResumeThread,		0_2_02165F0B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216272A NtWriteVirtualMemory,		0_2_0216272A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216279A NtWriteVirtualMemory,		0_2_0216279A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166384 NtResumeThread,		0_2_02166384
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021663CA NtResumeThread,		0_2_021663CA
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216640E NtResumeThread,		0_2_0216640E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162831 NtWriteVirtualMemory,		0_2_02162831
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165C3B NtResumeThread,		0_2_02165C3B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216245B NtWriteVirtualMemory,		0_2_0216245B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166466 NtResumeThread,		0_2_02166466
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166487 NtResumeThread,		0_2_02166487
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216288E NtWriteVirtualMemory,		0_2_0216288E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021624AE NtWriteVirtualMemory,		0_2_021624AE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021664C6 NtResumeThread,		0_2_021664C6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021624F2 NtWriteVirtualMemory,		0_2_021624F2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162916 NtWriteVirtualMemory,		0_2_02162916
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166533 NtResumeThread,		0_2_02166533
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02163522 NtWriteVirtualMemory,		0_2_02163522
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162557 NtWriteVirtualMemory,		0_2_02162557
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166558 NtResumeThread,		0_2_02166558
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02160540 NtSetInformationThread,		0_2_02160540
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02166596 NtResumeThread,		0_2_02166596
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162986 NtWriteVirtualMemory,		0_2_02162986
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021605B6 NtSetInformationThread,		0_2_021605B6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021625B2 NtWriteVirtualMemory,		0_2_021625B2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165DF8 NtResumeThread,		0_2_02165DF8
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_1E289660
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2896E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_1E2896E0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289710 NtQueryInformationToken,LdrInitializeThunk,		1_2_1E289710
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2897A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_1E2897A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289780 NtMapViewOfSection,LdrInitializeThunk,		1_2_1E289780
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289FE0 NtCreateMutant,LdrInitializeThunk,		1_2_1E289FE0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289540 NtReadFile,LdrInitializeThunk,		1_2_1E289540
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2895D0 NtClose,LdrInitializeThunk,		1_2_1E2895D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289A20 NtResumeThread,LdrInitializeThunk,		1_2_1E289A20
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_1E289A00
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289A50 NtCreateFile,LdrInitializeThunk,		1_2_1E289A50
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_1E289860
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289840 NtDelayExecution,LdrInitializeThunk,		1_2_1E289840
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2898F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_1E2898F0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_1E289910
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2899A0 NtCreateSection,LdrInitializeThunk,		1_2_1E2899A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289610 NtEnumerateValueKey,		1_2_1E289610
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289670 NtQueryInformationProcess,		1_2_1E289670
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289650 NtQueryValueKey,		1_2_1E289650
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2896D0 NtCreateKey,		1_2_1E2896D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289730 NtQueryVirtualMemory,		1_2_1E289730
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28A710 NtOpenProcessToken,		1_2_1E28A710
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289760 NtOpenProcess,		1_2_1E289760
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28A770 NtOpenThread,		1_2_1E28A770
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289770 NtSetInformationFile,		1_2_1E289770
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289520 NtWaitForSingleObject,		1_2_1E289520
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28AD30 NtSetContextThread,		1_2_1E28AD30
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289560 NtWriteFile,		1_2_1E289560
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2895F0 NtQueryInformationFile,		1_2_1E2895F0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289A10 NtQuerySection,		1_2_1E289A10
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289A80 NtOpenDirectoryObject,		1_2_1E289A80
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289B00 NtSetValueKey,		1_2_1E289B00
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28A3B0 NtGetContextThread,		1_2_1E28A3B0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289820 NtEnumerateKey,		1_2_1E289820
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28B040 NtSuspendThread,		1_2_1E28B040
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2898A0 NtWriteVirtualMemory,		1_2_1E2898A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E289950 NtQueueApcThread,		1_2_1E289950
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2899D0 NtCreateProcessEx,		1_2_1E2899D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565D76 NtProtectVirtualMemory,NtSetInformationThread,		1_2_00565D76
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_0056637E NtSetInformationThread,		1_2_0056637E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566466 NtSetInformationThread,		1_2_00566466
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_0056640E NtSetInformationThread,		1_2_0056640E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_005664C6 NtSetInformationThread,		1_2_005664C6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566487 NtSetInformationThread,		1_2_00566487
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566558 NtSetInformationThread,		1_2_00566558
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566533 NtSetInformationThread,		1_2_00566533
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565DCF NtSetInformationThread,		1_2_00565DCF
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565DE2 NtSetInformationThread,		1_2_00565DE2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566596 NtSetInformationThread,		1_2_00566596
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565DB1 NtProtectVirtualMemory,		1_2_00565DB1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565E08 NtSetInformationThread,		1_2_00565E08
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_005666EB NtSetInformationThread,		1_2_005666EB
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565F0B NtSetInformationThread,		1_2_00565F0B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_005663CA NtSetInformationThread,		1_2_005663CA
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00566384 NtSetInformationThread,		1_2_00566384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459540 NtReadFile,LdrInitializeThunk,		13_2_04459540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044595D0 NtClose,LdrInitializeThunk,		13_2_044595D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459650 NtQueryValueKey,LdrInitializeThunk,		13_2_04459650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459660 NtAllocateVirtualMemory,LdrInitializeThunk,		13_2_04459660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044596D0 NtCreateKey,LdrInitializeThunk,		13_2_044596D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044596E0 NtFreeVirtualMemory,LdrInitializeThunk,		13_2_044596E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459710 NtQueryInformationToken,LdrInitializeThunk,		13_2_04459710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459FE0 NtCreateMutant,LdrInitializeThunk,		13_2_04459FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459780 NtMapViewOfSection,LdrInitializeThunk,		13_2_04459780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459840 NtDelayExecution,LdrInitializeThunk,		13_2_04459840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459860 NtQuerySystemInformation,LdrInitializeThunk,		13_2_04459860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459910 NtAdjustPrivilegesToken,LdrInitializeThunk,		13_2_04459910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044599A0 NtCreateSection,LdrInitializeThunk,		13_2_044599A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459A50 NtCreateFile,LdrInitializeThunk,		13_2_04459A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459560 NtWriteFile,		13_2_04459560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459520 NtWaitForSingleObject,		13_2_04459520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0445AD30 NtSetContextThread,		13_2_0445AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044595F0 NtQueryInformationFile,		13_2_044595F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459670 NtQueryInformationProcess,		13_2_04459670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459610 NtEnumerateValueKey,		13_2_04459610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459760 NtOpenProcess,		13_2_04459760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0445A770 NtOpenThread,		13_2_0445A770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459770 NtSetInformationFile,		13_2_04459770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0445A710 NtOpenProcessToken,		13_2_0445A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459730 NtQueryVirtualMemory,		13_2_04459730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044597A0 NtUnmapViewOfSection,		13_2_044597A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0445B040 NtSuspendThread,		13_2_0445B040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459820 NtEnumerateKey,		13_2_04459820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044598F0 NtReadVirtualMemory,		13_2_044598F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044598A0 NtWriteVirtualMemory,		13_2_044598A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459950 NtQueueApcThread,		13_2_04459950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044599D0 NtCreateProcessEx,		13_2_044599D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459A00 NtProtectVirtualMemory,		13_2_04459A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459A10 NtQuerySection,		13_2_04459A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459A20 NtResumeThread,		13_2_04459A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459A80 NtOpenDirectoryObject,		13_2_04459A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04459B00 NtSetValueKey,		13_2_04459B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0445A3B0 NtGetContextThread,		13_2_0445A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A81E0 NtCreateFile,		13_2_001A81E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A8290 NtReadFile,		13_2_001A8290
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A8310 NtClose,		13_2_001A8310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A83C0 NtAllocateVirtualMemory,		13_2_001A83C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A819A NtCreateFile,		13_2_001A819A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A81DC NtCreateFile,		13_2_001A81DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A8235 NtCreateFile,		13_2_001A8235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A828A NtReadFile,		13_2_001A828A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A830B NtClose,		13_2_001A830B

Detected potential crypto function

Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_00401348		0_2_00401348
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E266E30		1_2_1E266E30
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30D616		1_2_1E30D616
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E312EF7		1_2_1E312EF7
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E311FF1		1_2_1E311FF1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31DFCE		1_2_1E31DFCE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25841F		1_2_1E25841F
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30D466		1_2_1E30D466
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E240D20		1_2_1E240D20
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E312D07		1_2_1E312D07
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E311D55		1_2_1E311D55
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272581		1_2_1E272581
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25D5E0		1_2_1E25D5E0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3125DD		1_2_1E3125DD
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3122AE		1_2_1E3122AE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E312B28		1_2_1E312B28
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27EBB0		1_2_1E27EBB0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30DBD2		1_2_1E30DBD2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3003DA		1_2_1E3003DA
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31E824		1_2_1E31E824
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301002		1_2_1E301002
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3120A8		1_2_1E3120A8
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25B090		1_2_1E25B090
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3128EC		1_2_1E3128EC
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24F900		1_2_1E24F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DD466		13_2_044DD466
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442841F		13_2_0442841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E1D55		13_2_044E1D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E2D07		13_2_044E2D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04410D20		13_2_04410D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E25DD		13_2_044E25DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442D5E0		13_2_0442D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442581		13_2_04442581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DD616		13_2_044DD616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04436E30		13_2_04436E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E2EF7		13_2_044E2EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044EDFCE		13_2_044EDFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E1FF1		13_2_044E1FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1002		13_2_044D1002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044EE824		13_2_044EE824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443A830		13_2_0443A830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E28EC		13_2_044E28EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442B090		13_2_0442B090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E20A8		13_2_044E20A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441F900		13_2_0441F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044CFA2B		13_2_044CFA2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E22AE		13_2_044E22AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AB40		13_2_0443AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E2B28		13_2_044E2B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D03DA		13_2_044D03DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DDBD2		13_2_044DDBD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444EBB0		13_2_0444EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00198C70		13_2_00198C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00198C6C		13_2_00198C6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00192D90		13_2_00192D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00192D88		13_2_00192D88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AC73F		13_2_001AC73F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AC7B8		13_2_001AC7B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00192FB0		13_2_00192FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\dwg.exe	Code function: String function: 1E24B150 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0441B150 appears 54 times

PE file contains strange resources

Source: dwg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dwg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: dwg.exe, 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
Source: dwg.exe, 00000000.00000002.247561257.0000000002130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs dwg.exe
Source: dwg.exe, 00000000.00000002.248010737.0000000002960000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoveddrif.exeFE2XANTERIADGRIZZ vs dwg.exe
Source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs dwg.exe
Source: dwg.exe, 00000001.00000000.245755926.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
Source: dwg.exe, 00000001.00000002.312855043.000000001E4CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs dwg.exe
Source: dwg.exe, 00000001.00000002.312005314.000000001DD90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs dwg.exe
Source: dwg.exe	Binary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe

Uses 32bit PE files

Source: dwg.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@13/8

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\dwg.exe

File created: C:\Users\user\AppData\Local\Temp\~DF888B9D52BBCA55F9.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: dwg.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\dwg.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\dwg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Sample is known by Antivirus

Source: dwg.exe

ReversingLabs: Detection: 27%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
Source: unknown	Process created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dwg.exe	Process created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165A66 push eax; ret		0_2_02165AE3
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E29D0D1 push ecx; ret		1_2_1E29D0E4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565A66 push eax; ret		1_2_00565AE3
Source: C:\Windows\explorer.exe	Code function: 4_2_07410B20 push cs; retf		4_2_07410BCA
Source: C:\Windows\explorer.exe	Code function: 4_2_07411BF3 push 75CE108Ch; ret		4_2_07411BF8
Source: C:\Windows\explorer.exe	Code function: 4_2_07415397 push ss; iretd		4_2_07415398
Source: C:\Windows\explorer.exe	Code function: 4_2_07411998 push ss; retf		4_2_074119B6
Source: C:\Windows\explorer.exe	Code function: 4_2_0741503B push ebx; retf		4_2_0741503C
Source: C:\Windows\explorer.exe	Code function: 4_2_07411CD9 push cs; retf		4_2_07411CDA
Source: C:\Windows\explorer.exe	Code function: 4_2_07412AEF push es; iretd		4_2_07412AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0446D0D1 push ecx; ret		13_2_0446D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A583D push 0000003Fh; ret		13_2_001A5846
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A533F push FFFFFF96h; ret		13_2_001A5344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0019C32F push es; ret		13_2_0019C33F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AB3D5 push eax; ret		13_2_001AB428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AB42B push eax; ret		13_2_001AB492
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AB422 push eax; ret		13_2_001AB428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001AB48C push eax; ret		13_2_001AB492
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A5CD9 push C872E20Ah; retf		13_2_001A5CDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001A5D64 push edx; ret		13_2_001A5D6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001ACE0D push ss; retf		13_2_001ACE19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0019CF58 push ecx; ret		13_2_0019CF59

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216587D LoadLibraryA,		0_2_0216587D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_0056587D LoadLibraryA,		1_2_0056587D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\dwg.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: dwg.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 0000000002162C75 second address: 0000000002162C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 0000000000562C75 second address: 0000000000562C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dwg.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000001985F4 second address: 00000000001985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000000019898E second address: 0000000000198994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\dwg.exe

Code function: 0_2_0216329B rdtsc

0_2_0216329B

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6728

Thread sleep time: -35000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000004.00000000.288554019.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: explorer.exe, 00000004.00000000.275549634.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.275611265.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA36
Source: dwg.exe, 00000001.00000003.269507023.0000000000A38000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.273584197.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.283148438.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: dwg.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\dwg.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\dwg.exe

Code function: 0_2_0216329B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12

0_2_0216329B

Hides threads from debuggers

Source: C:\Users\user\Desktop\dwg.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\dwg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\dwg.exe

Code function: 0_2_0216329B rdtsc

0_2_0216329B

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\dwg.exe

Code function: 0_2_02163A2C LdrInitializeThunk,

0_2_02163A2C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02161E12 mov eax, dword ptr fs:[00000030h]		0_2_02161E12
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02164AB9 mov eax, dword ptr fs:[00000030h]		0_2_02164AB9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02164F41 mov eax, dword ptr fs:[00000030h]		0_2_02164F41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02161FF8 mov eax, dword ptr fs:[00000030h]		0_2_02161FF8
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02162C30 mov eax, dword ptr fs:[00000030h]		0_2_02162C30
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_0216587D mov eax, dword ptr fs:[00000030h]		0_2_0216587D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02165866 mov eax, dword ptr fs:[00000030h]		0_2_02165866
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_021658D6 mov eax, dword ptr fs:[00000030h]		0_2_021658D6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 0_2_02161968 mov eax, dword ptr fs:[00000030h]		0_2_02161968
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24E620 mov eax, dword ptr fs:[00000030h]		1_2_1E24E620
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2FFE3F mov eax, dword ptr fs:[00000030h]		1_2_1E2FFE3F
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]		1_2_1E24C600
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]		1_2_1E24C600
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]		1_2_1E24C600
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E278E00 mov eax, dword ptr fs:[00000030h]		1_2_1E278E00
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301608 mov eax, dword ptr fs:[00000030h]		1_2_1E301608
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]		1_2_1E27A61C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]		1_2_1E27A61C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25766D mov eax, dword ptr fs:[00000030h]		1_2_1E25766D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]		1_2_1E26AE73
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]		1_2_1E26AE73
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]		1_2_1E26AE73
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]		1_2_1E26AE73
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]		1_2_1E26AE73
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]		1_2_1E257E41
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]		1_2_1E30AE44
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]		1_2_1E30AE44
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C46A7 mov eax, dword ptr fs:[00000030h]		1_2_1E2C46A7
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]		1_2_1E310EA5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]		1_2_1E310EA5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]		1_2_1E310EA5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DFE87 mov eax, dword ptr fs:[00000030h]		1_2_1E2DFE87
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2716E0 mov ecx, dword ptr fs:[00000030h]		1_2_1E2716E0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2576E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2576E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318ED6 mov eax, dword ptr fs:[00000030h]		1_2_1E318ED6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2736CC mov eax, dword ptr fs:[00000030h]		1_2_1E2736CC
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2FFEC0 mov eax, dword ptr fs:[00000030h]		1_2_1E2FFEC0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E288EC7 mov eax, dword ptr fs:[00000030h]		1_2_1E288EC7
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]		1_2_1E244F2E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]		1_2_1E244F2E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27E730 mov eax, dword ptr fs:[00000030h]		1_2_1E27E730
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]		1_2_1E27A70E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]		1_2_1E27A70E
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26F716 mov eax, dword ptr fs:[00000030h]		1_2_1E26F716
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]		1_2_1E31070D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]		1_2_1E31070D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]		1_2_1E2DFF10
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]		1_2_1E2DFF10
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25FF60 mov eax, dword ptr fs:[00000030h]		1_2_1E25FF60
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318F6A mov eax, dword ptr fs:[00000030h]		1_2_1E318F6A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25EF40 mov eax, dword ptr fs:[00000030h]		1_2_1E25EF40
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E258794 mov eax, dword ptr fs:[00000030h]		1_2_1E258794
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7794
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7794
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7794
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2837F5 mov eax, dword ptr fs:[00000030h]		1_2_1E2837F5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27BC2C mov eax, dword ptr fs:[00000030h]		1_2_1E27BC2C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]		1_2_1E2C6C0A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]		1_2_1E2C6C0A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]		1_2_1E2C6C0A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]		1_2_1E2C6C0A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]		1_2_1E301C06
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]		1_2_1E31740D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]		1_2_1E31740D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]		1_2_1E31740D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26746D mov eax, dword ptr fs:[00000030h]		1_2_1E26746D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A44B mov eax, dword ptr fs:[00000030h]		1_2_1E27A44B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]		1_2_1E2DC450
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]		1_2_1E2DC450
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25849B mov eax, dword ptr fs:[00000030h]		1_2_1E25849B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3014FB mov eax, dword ptr fs:[00000030h]		1_2_1E3014FB
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6CF0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6CF0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6CF0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318CD6 mov eax, dword ptr fs:[00000030h]		1_2_1E318CD6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318D34 mov eax, dword ptr fs:[00000030h]		1_2_1E318D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30E539 mov eax, dword ptr fs:[00000030h]		1_2_1E30E539
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]		1_2_1E253D34
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24AD30 mov eax, dword ptr fs:[00000030h]		1_2_1E24AD30
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2CA537 mov eax, dword ptr fs:[00000030h]		1_2_1E2CA537
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]		1_2_1E274D3B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]		1_2_1E274D3B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]		1_2_1E274D3B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]		1_2_1E26C577
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]		1_2_1E26C577
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E283D43 mov eax, dword ptr fs:[00000030h]		1_2_1E283D43
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C3540 mov eax, dword ptr fs:[00000030h]		1_2_1E2C3540
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2F3D40 mov eax, dword ptr fs:[00000030h]		1_2_1E2F3D40
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E267D50 mov eax, dword ptr fs:[00000030h]		1_2_1E267D50
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2735A1 mov eax, dword ptr fs:[00000030h]		1_2_1E2735A1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]		1_2_1E271DB5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]		1_2_1E271DB5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]		1_2_1E271DB5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]		1_2_1E3105AC
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]		1_2_1E3105AC
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]		1_2_1E272581
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]		1_2_1E272581
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]		1_2_1E272581
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]		1_2_1E272581
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]		1_2_1E242D8A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]		1_2_1E242D8A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]		1_2_1E242D8A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]		1_2_1E242D8A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]		1_2_1E242D8A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]		1_2_1E27FD9B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]		1_2_1E27FD9B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]		1_2_1E25D5E0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]		1_2_1E25D5E0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]		1_2_1E30FDE2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]		1_2_1E30FDE2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]		1_2_1E30FDE2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]		1_2_1E30FDE2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2F8DF1 mov eax, dword ptr fs:[00000030h]		1_2_1E2F8DF1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov ecx, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]		1_2_1E2C6DC9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]		1_2_1E284A2C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]		1_2_1E284A2C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]		1_2_1E30AA16
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]		1_2_1E30AA16
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E258A0A mov eax, dword ptr fs:[00000030h]		1_2_1E258A0A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]		1_2_1E24AA16
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]		1_2_1E24AA16
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]		1_2_1E245210
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E245210 mov ecx, dword ptr fs:[00000030h]		1_2_1E245210
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]		1_2_1E245210
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]		1_2_1E245210
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E263A1C mov eax, dword ptr fs:[00000030h]		1_2_1E263A1C
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]		1_2_1E2FB260
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]		1_2_1E2FB260
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E28927A mov eax, dword ptr fs:[00000030h]		1_2_1E28927A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318A62 mov eax, dword ptr fs:[00000030h]		1_2_1E318A62
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]		1_2_1E249240
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]		1_2_1E249240
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]		1_2_1E249240
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]		1_2_1E249240
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30EA55 mov eax, dword ptr fs:[00000030h]		1_2_1E30EA55
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2D4257 mov eax, dword ptr fs:[00000030h]		1_2_1E2D4257
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]		1_2_1E2452A5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]		1_2_1E2452A5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]		1_2_1E2452A5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]		1_2_1E2452A5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]		1_2_1E2452A5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]		1_2_1E25AAB0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]		1_2_1E25AAB0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27FAB0 mov eax, dword ptr fs:[00000030h]		1_2_1E27FAB0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]		1_2_1E27D294
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]		1_2_1E27D294
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272AE4 mov eax, dword ptr fs:[00000030h]		1_2_1E272AE4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272ACB mov eax, dword ptr fs:[00000030h]		1_2_1E272ACB
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30131B mov eax, dword ptr fs:[00000030h]		1_2_1E30131B
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24DB60 mov ecx, dword ptr fs:[00000030h]		1_2_1E24DB60
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]		1_2_1E273B7A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]		1_2_1E273B7A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24DB40 mov eax, dword ptr fs:[00000030h]		1_2_1E24DB40
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E318B58 mov eax, dword ptr fs:[00000030h]		1_2_1E318B58
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24F358 mov eax, dword ptr fs:[00000030h]		1_2_1E24F358
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]		1_2_1E274BAD
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]		1_2_1E274BAD
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]		1_2_1E274BAD
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E315BA5 mov eax, dword ptr fs:[00000030h]		1_2_1E315BA5
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]		1_2_1E251B8F
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]		1_2_1E251B8F
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2FD380 mov ecx, dword ptr fs:[00000030h]		1_2_1E2FD380
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272397 mov eax, dword ptr fs:[00000030h]		1_2_1E272397
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27B390 mov eax, dword ptr fs:[00000030h]		1_2_1E27B390
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E30138A mov eax, dword ptr fs:[00000030h]		1_2_1E30138A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]		1_2_1E2703E2
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26DBE9 mov eax, dword ptr fs:[00000030h]		1_2_1E26DBE9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]		1_2_1E2C53CA
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]		1_2_1E2C53CA
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]		1_2_1E27002D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]		1_2_1E27002D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]		1_2_1E27002D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]		1_2_1E27002D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]		1_2_1E27002D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]		1_2_1E25B02A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]		1_2_1E25B02A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]		1_2_1E25B02A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]		1_2_1E25B02A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]		1_2_1E314015
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]		1_2_1E314015
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7016
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7016
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]		1_2_1E2C7016
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E302073 mov eax, dword ptr fs:[00000030h]		1_2_1E302073
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E311074 mov eax, dword ptr fs:[00000030h]		1_2_1E311074
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]		1_2_1E260050
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]		1_2_1E260050
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2890AF mov eax, dword ptr fs:[00000030h]		1_2_1E2890AF
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2720A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27F0BF mov ecx, dword ptr fs:[00000030h]		1_2_1E27F0BF
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]		1_2_1E27F0BF
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]		1_2_1E27F0BF
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249080 mov eax, dword ptr fs:[00000030h]		1_2_1E249080
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]		1_2_1E2C3884
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]		1_2_1E2C3884
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]		1_2_1E2440E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]		1_2_1E2440E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]		1_2_1E2440E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2458EC mov eax, dword ptr fs:[00000030h]		1_2_1E2458EC
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov ecx, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]		1_2_1E2DB8D0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E264120 mov ecx, dword ptr fs:[00000030h]		1_2_1E264120
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]		1_2_1E27513A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]		1_2_1E27513A
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]		1_2_1E249100
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]		1_2_1E249100
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]		1_2_1E249100
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24C962 mov eax, dword ptr fs:[00000030h]		1_2_1E24C962
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]		1_2_1E24B171
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]		1_2_1E24B171
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]		1_2_1E26B944
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]		1_2_1E26B944
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2761A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]		1_2_1E2761A0
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C69A6 mov eax, dword ptr fs:[00000030h]		1_2_1E2C69A6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]		1_2_1E2C51BE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]		1_2_1E2C51BE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]		1_2_1E2C51BE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]		1_2_1E2C51BE
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]		1_2_1E3049A4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]		1_2_1E3049A4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]		1_2_1E3049A4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]		1_2_1E3049A4
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E27A185 mov eax, dword ptr fs:[00000030h]		1_2_1E27A185
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E26C182 mov eax, dword ptr fs:[00000030h]		1_2_1E26C182
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E272990 mov eax, dword ptr fs:[00000030h]		1_2_1E272990
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E2D41E8 mov eax, dword ptr fs:[00000030h]		1_2_1E2D41E8
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]		1_2_1E24B1E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]		1_2_1E24B1E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]		1_2_1E24B1E1
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_0056587D mov eax, dword ptr fs:[00000030h]		1_2_0056587D
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00565866 mov eax, dword ptr fs:[00000030h]		1_2_00565866
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_005658D6 mov eax, dword ptr fs:[00000030h]		1_2_005658D6
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00564AB9 mov eax, dword ptr fs:[00000030h]		1_2_00564AB9
Source: C:\Users\user\Desktop\dwg.exe	Code function: 1_2_00564F41 mov eax, dword ptr fs:[00000030h]		1_2_00564F41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A44B mov eax, dword ptr fs:[00000030h]		13_2_0444A44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]		13_2_044AC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]		13_2_044AC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443746D mov eax, dword ptr fs:[00000030h]		13_2_0443746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]		13_2_044E740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]		13_2_044E740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]		13_2_044E740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]		13_2_04496C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]		13_2_04496C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]		13_2_04496C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]		13_2_04496C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]		13_2_044D1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444BC2C mov eax, dword ptr fs:[00000030h]		13_2_0444BC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E8CD6 mov eax, dword ptr fs:[00000030h]		13_2_044E8CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D14FB mov eax, dword ptr fs:[00000030h]		13_2_044D14FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]		13_2_04496CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]		13_2_04496CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]		13_2_04496CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442849B mov eax, dword ptr fs:[00000030h]		13_2_0442849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04453D43 mov eax, dword ptr fs:[00000030h]		13_2_04453D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04493540 mov eax, dword ptr fs:[00000030h]		13_2_04493540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044C3D40 mov eax, dword ptr fs:[00000030h]		13_2_044C3D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04437D50 mov eax, dword ptr fs:[00000030h]		13_2_04437D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]		13_2_0443C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]		13_2_0443C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441AD30 mov eax, dword ptr fs:[00000030h]		13_2_0441AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DE539 mov eax, dword ptr fs:[00000030h]		13_2_044DE539
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]		13_2_04423D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E8D34 mov eax, dword ptr fs:[00000030h]		13_2_044E8D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0449A537 mov eax, dword ptr fs:[00000030h]		13_2_0449A537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]		13_2_04444D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]		13_2_04444D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]		13_2_04444D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov ecx, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]		13_2_04496DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]		13_2_0442D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]		13_2_0442D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]		13_2_044DFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]		13_2_044DFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]		13_2_044DFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]		13_2_044DFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044C8DF1 mov eax, dword ptr fs:[00000030h]		13_2_044C8DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]		13_2_04442581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]		13_2_04442581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]		13_2_04442581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]		13_2_04442581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]		13_2_04412D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]		13_2_04412D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]		13_2_04412D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]		13_2_04412D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]		13_2_04412D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]		13_2_0444FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]		13_2_0444FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]		13_2_044E05AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]		13_2_044E05AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044435A1 mov eax, dword ptr fs:[00000030h]		13_2_044435A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]		13_2_04441DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]		13_2_04441DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]		13_2_04441DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]		13_2_04427E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]		13_2_044DAE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]		13_2_044DAE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442766D mov eax, dword ptr fs:[00000030h]		13_2_0442766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]		13_2_0443AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]		13_2_0443AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]		13_2_0443AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]		13_2_0443AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]		13_2_0443AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]		13_2_0441C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]		13_2_0441C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]		13_2_0441C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04448E00 mov eax, dword ptr fs:[00000030h]		13_2_04448E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D1608 mov eax, dword ptr fs:[00000030h]		13_2_044D1608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]		13_2_0444A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]		13_2_0444A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441E620 mov eax, dword ptr fs:[00000030h]		13_2_0441E620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044CFE3F mov eax, dword ptr fs:[00000030h]		13_2_044CFE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04458EC7 mov eax, dword ptr fs:[00000030h]		13_2_04458EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044436CC mov eax, dword ptr fs:[00000030h]		13_2_044436CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044CFEC0 mov eax, dword ptr fs:[00000030h]		13_2_044CFEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E8ED6 mov eax, dword ptr fs:[00000030h]		13_2_044E8ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044276E2 mov eax, dword ptr fs:[00000030h]		13_2_044276E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044416E0 mov ecx, dword ptr fs:[00000030h]		13_2_044416E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AFE87 mov eax, dword ptr fs:[00000030h]		13_2_044AFE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]		13_2_044E0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]		13_2_044E0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]		13_2_044E0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044946A7 mov eax, dword ptr fs:[00000030h]		13_2_044946A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442EF40 mov eax, dword ptr fs:[00000030h]		13_2_0442EF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442FF60 mov eax, dword ptr fs:[00000030h]		13_2_0442FF60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E8F6A mov eax, dword ptr fs:[00000030h]		13_2_044E8F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]		13_2_044E070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]		13_2_044E070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]		13_2_0444A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]		13_2_0444A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443F716 mov eax, dword ptr fs:[00000030h]		13_2_0443F716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]		13_2_044AFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]		13_2_044AFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]		13_2_04414F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]		13_2_04414F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444E730 mov eax, dword ptr fs:[00000030h]		13_2_0444E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044537F5 mov eax, dword ptr fs:[00000030h]		13_2_044537F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04428794 mov eax, dword ptr fs:[00000030h]		13_2_04428794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]		13_2_04497794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]		13_2_04497794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]		13_2_04497794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]		13_2_04430050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]		13_2_04430050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E1074 mov eax, dword ptr fs:[00000030h]		13_2_044E1074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D2073 mov eax, dword ptr fs:[00000030h]		13_2_044D2073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]		13_2_044E4015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]		13_2_044E4015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]		13_2_04497016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]		13_2_04497016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]		13_2_04497016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]		13_2_0442B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]		13_2_0442B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]		13_2_0442B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]		13_2_0442B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]		13_2_0444002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]		13_2_0444002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]		13_2_0444002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]		13_2_0444002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]		13_2_0444002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]		13_2_0443A830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]		13_2_0443A830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]		13_2_0443A830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]		13_2_0443A830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov ecx, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]		13_2_044AB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]		13_2_044140E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]		13_2_044140E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]		13_2_044140E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044158EC mov eax, dword ptr fs:[00000030h]		13_2_044158EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04419080 mov eax, dword ptr fs:[00000030h]		13_2_04419080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]		13_2_04493884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]		13_2_04493884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]		13_2_044420A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044590AF mov eax, dword ptr fs:[00000030h]		13_2_044590AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444F0BF mov ecx, dword ptr fs:[00000030h]		13_2_0444F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]		13_2_0444F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]		13_2_0444F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]		13_2_0443B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]		13_2_0443B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441C962 mov eax, dword ptr fs:[00000030h]		13_2_0441C962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]		13_2_0441B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]		13_2_0441B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]		13_2_04419100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]		13_2_04419100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]		13_2_04419100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04434120 mov ecx, dword ptr fs:[00000030h]		13_2_04434120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]		13_2_0444513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]		13_2_0444513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]		13_2_0441B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]		13_2_0441B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]		13_2_0441B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044A41E8 mov eax, dword ptr fs:[00000030h]		13_2_044A41E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443C182 mov eax, dword ptr fs:[00000030h]		13_2_0443C182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0444A185 mov eax, dword ptr fs:[00000030h]		13_2_0444A185
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04442990 mov eax, dword ptr fs:[00000030h]		13_2_04442990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]		13_2_044461A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]		13_2_044461A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]		13_2_044D49A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]		13_2_044D49A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]		13_2_044D49A4

Enables debug privileges

Source: C:\Users\user\Desktop\dwg.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 94.136.40.51 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 146.148.189.216 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.56.93 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 47.110.53.154 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\dwg.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\dwg.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\dwg.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\dwg.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\dwg.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: A90000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\dwg.exe	Process created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000000.284110577.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.273519346.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\dwg.exe

Code function: 1_2_00564B00 cpuid

1_2_00564B00

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY