Windows Analysis Report DWG.exe

Overview

General Information

Sample Name: DWG.exe
Analysis ID: 510733
MD5: ff882802d113ed02fa070c496f89d797
SHA1: aad1eed1c53f1d33ab52e13442b036bfeee91f1b
SHA256: 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.elsist.online/xzes/"], "decoy": ["dent-works.com", "theravewizards.com", "venkataramanagraphics.com", "overway.store", "alignatura.com", "boggbogs.com", "senerants.tech", "muintel.net", "bestplacementconsultancy.com", "trippresso.com", "communication.services", "xn--maraaestudio-dhb.com", "beandhira.com", "lochnas.com", "update-mind.com", "cpcacursos.com", "metaverse-coaching.com", "skindefense5.com", "distressedthenblessed.com", "alphaore.com", "extrobility.com", "sandyanmax.com", "jntycy.com", "becomingalice.com", "printyourdays.com", "fallet-official.com", "hcbg.online", "era575.com", "dalainstitute.info", "7looks-mocha-totalbeauty.com", "spydasec.com", "vote4simone.net", "cannabeeswax.com", "coalitionloop.com", "skywalkerpressonline.com", "healthybalancedliving.com", "mylistg.com", "bookbqconspicuous.com", "mylyk.net", "mylindiss.com", "xn--80akukchh.xn--80asehdb", "captekbrasil.com", "joannhydeyoga.com", "monenee.xyz", "nishantmohapatra.com", "mindbodyweightlossmethod.com", "sxjcfw.com", "wilbertluna.com", "inclutel.com", "knowsyourdream.com", "uk-gaming.com", "maihengkeji.online", "fragrant-nest.com", "ubfodessa.com", "vipinindustries.com", "narcozland.com", "heros-coaching.com", "austeregomrqg.xyz", "eleonoritalia.com", "publiccoins.online", "dashmints.com", "thebrandstudiointernational.com", "thaikindee.com", "punkidz.com"]}
Multi AV Scanner detection for submitted file
Source: DWG.exe Virustotal: Detection: 50% Perma Link
Source: DWG.exe ReversingLabs: Detection: 37%
Yara detected FormBook
Source: Yara match File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: DWG.exe Avira: detected
Machine Learning detection for sample
Source: DWG.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.DWG.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.svchost.exe.900000.1.unpack Avira: Label: TR/Patched.Gen
Source: 5.0.DWG.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DWG.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.svchost.exe.3c3796c.4.unpack Avira: Label: TR/Patched.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DWG.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DWG.exe, svchost.exe
Source: Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
Source: Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 0_2_00436310
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00449B06

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DWG.exe Code function: 4x nop then pop edi 5_2_0040C37A
Source: C:\Users\user\Desktop\DWG.exe Code function: 4x nop then pop edi 5_2_0040C3CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 10_2_02F1C3CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 10_2_02F1C37A

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.hcbg.online
Source: C:\Windows\explorer.exe Domain query: www.knowsyourdream.com
Source: C:\Windows\explorer.exe Network Connect: 198.187.31.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.216.113.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jntycy.com
Source: C:\Windows\explorer.exe Domain query: www.publiccoins.online
Source: C:\Windows\explorer.exe Domain query: www.theravewizards.com
Source: C:\Windows\explorer.exe Domain query: www.thebrandstudiointernational.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.215 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 5.157.87.204 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.elsist.online/xzes/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.187.31.159 198.187.31.159
Source: Joe Sandbox View IP Address: 198.54.117.215 198.54.117.215
Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: explorer.exe, 00000006.00000000.367204188.000000000EEB1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mi
Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp String found in binary or memory: https://www.yourhosting.nl/parkeerpagina.html
Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
Source: unknown DNS traffic detected: queries for: www.jntycy.com
Source: global traffic HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00446387 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00446387
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00448BC4 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00448BC4

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: DWG.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00457B08 0_2_00457B08
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00424075 0_2_00424075
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00423006 0_2_00423006
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00423204 0_2_00423204
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00425326 0_2_00425326
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004234B8 0_2_004234B8
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00443530 0_2_00443530
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00445718 0_2_00445718
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004238CF 0_2_004238CF
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00439891 0_2_00439891
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004249F1 0_2_004249F1
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00423A87 0_2_00423A87
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00423C50 0_2_00423C50
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043ED67 0_2_0043ED67
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00425D9C 0_2_00425D9C
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00421E34 0_2_00421E34
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00426F68 0_2_00426F68
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00427F39 0_2_00427F39
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041C9C9 5_2_0041C9C9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041C98E 5_2_0041C98E
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041BA57 5_2_0041BA57
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00401208 5_2_00401208
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00408C80 5_2_00408C80
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041CFA3 5_2_0041CFA3
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B420A8 5_2_00B420A8
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8B090 5_2_00A8B090
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B428EC 5_2_00B428EC
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4E824 5_2_00B4E824
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A830 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31002 5_2_00B31002
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7F900 5_2_00A7F900
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B422AE 5_2_00B422AE
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2FA2B 5_2_00B2FA2B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAEBB0 5_2_00AAEBB0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B223E3 5_2_00B223E3
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3DBD2 5_2_00B3DBD2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B303DA 5_2_00B303DA
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAABD8 5_2_00AAABD8
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B42B28 5_2_00B42B28
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AB40 5_2_00A9AB40
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8841F 5_2_00A8841F
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3D466 5_2_00B3D466
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2581 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8D5E0 5_2_00A8D5E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B425DD 5_2_00B425DD
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A70D20 5_2_00A70D20
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B42D07 5_2_00B42D07
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B41D55 5_2_00B41D55
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B42EF7 5_2_00B42EF7
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A96E30 5_2_00A96E30
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3D616 5_2_00B3D616
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B41FF1 5_2_00B41FF1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4DFCE 5_2_00B4DFCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037CCB4F 10_2_037CCB4F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374AB40 10_2_0374AB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F2B28 10_2_037F2B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037D23E3 10_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E03DA 10_2_037E03DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037EDBD2 10_2_037EDBD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375ABD8 10_2_0375ABD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375EBB0 10_2_0375EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375138B 10_2_0375138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037DFA2B 10_2_037DFA2B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F22AE 10_2_037F22AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372F900 10_2_0372F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037499BF 10_2_037499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A830 10_2_0374A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037FE824 10_2_037FE824
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E1002 10_2_037E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F28EC 10_2_037F28EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037520A0 10_2_037520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F20A8 10_2_037F20A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0373B090 10_2_0373B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F1FF1 10_2_037F1FF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037FDFCE 10_2_037FDFCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03746E30 10_2_03746E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037ED616 10_2_037ED616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F2EF7 10_2_037F2EF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F1D55 10_2_037F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03720D20 10_2_03720D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F2D07 10_2_037F2D07
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0373D5E0 10_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F25DD 10_2_037F25DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03752581 10_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E2D82 10_2_037E2D82
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B477 10_2_0374B477
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037ED466 10_2_037ED466
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0373841F 10_2_0373841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4496 10_2_037E4496
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2C9C9 10_2_02F2C9C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2C98E 10_2_02F2C98E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F12FB0 10_2_02F12FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2CFA3 10_2_02F2CFA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F18C80 10_2_02F18C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F12D90 10_2_02F12D90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DWG.exe Code function: String function: 0043691C appears 124 times
Source: C:\Users\user\Desktop\DWG.exe Code function: String function: 00A7B150 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0372B150 appears 136 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00457368 NtAllocateVirtualMemory, 0_2_00457368
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045B4DD NtTerminateProcess, 0_2_0045B4DD
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004574D8 NtCreateFile, 0_2_004574D8
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045D728 NtCreateFile,NtCreateSection,NtMapViewOfSection, 0_2_0045D728
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045D928 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 0_2_0045D928
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004579E8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 0_2_004579E8
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00458A28 NtWriteFile,NtCreateSection,NtClose, 0_2_00458A28
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00457B08 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtGetContextThread,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 0_2_00457B08
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00458097 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 0_2_00458097
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045838A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 0_2_0045838A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004185E0 NtCreateFile, 5_2_004185E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00418690 NtReadFile, 5_2_00418690
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00418710 NtClose, 5_2_00418710
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004187C0 NtAllocateVirtualMemory, 5_2_004187C0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041883A NtAllocateVirtualMemory, 5_2_0041883A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004185DA NtCreateFile, 5_2_004185DA
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00418632 NtCreateFile, 5_2_00418632
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041868C NtReadFile, 5_2_0041868C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041870B NtClose, 5_2_0041870B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_00AB98F0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00AB9860
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9840 NtDelayExecution,LdrInitializeThunk, 5_2_00AB9840
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB99A0 NtCreateSection,LdrInitializeThunk, 5_2_00AB99A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_00AB9910
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9A20 NtResumeThread,LdrInitializeThunk, 5_2_00AB9A20
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00AB9A00
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9A50 NtCreateFile,LdrInitializeThunk, 5_2_00AB9A50
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB95D0 NtClose,LdrInitializeThunk, 5_2_00AB95D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9540 NtReadFile,LdrInitializeThunk, 5_2_00AB9540
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00AB96E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_00AB9660
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_00AB97A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk, 5_2_00AB9780
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk, 5_2_00AB9FE0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk, 5_2_00AB9710
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB98A0 NtWriteVirtualMemory, 5_2_00AB98A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9820 NtEnumerateKey, 5_2_00AB9820
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ABB040 NtSuspendThread, 5_2_00ABB040
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB99D0 NtCreateProcessEx, 5_2_00AB99D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9950 NtQueueApcThread, 5_2_00AB9950
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9A80 NtOpenDirectoryObject, 5_2_00AB9A80
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9A10 NtQuerySection, 5_2_00AB9A10
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ABA3B0 NtGetContextThread, 5_2_00ABA3B0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9B00 NtSetValueKey, 5_2_00AB9B00
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB95F0 NtQueryInformationFile, 5_2_00AB95F0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9520 NtWaitForSingleObject, 5_2_00AB9520
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ABAD30 NtSetContextThread, 5_2_00ABAD30
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9560 NtWriteFile, 5_2_00AB9560
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB96D0 NtCreateKey, 5_2_00AB96D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9610 NtEnumerateValueKey, 5_2_00AB9610
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9670 NtQueryInformationProcess, 5_2_00AB9670
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9650 NtQueryValueKey, 5_2_00AB9650
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9730 NtQueryVirtualMemory, 5_2_00AB9730
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ABA710 NtOpenProcessToken, 5_2_00ABA710
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9760 NtOpenProcess, 5_2_00AB9760
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB9770 NtSetInformationFile, 5_2_00AB9770
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ABA770 NtOpenThread, 5_2_00ABA770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769A50 NtCreateFile,LdrInitializeThunk, 10_2_03769A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_03769910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037699A0 NtCreateSection,LdrInitializeThunk, 10_2_037699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_03769860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769840 NtDelayExecution,LdrInitializeThunk, 10_2_03769840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769710 NtQueryInformationToken,LdrInitializeThunk, 10_2_03769710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769FE0 NtCreateMutant,LdrInitializeThunk, 10_2_03769FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769780 NtMapViewOfSection,LdrInitializeThunk, 10_2_03769780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_03769660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769650 NtQueryValueKey,LdrInitializeThunk, 10_2_03769650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037696E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_037696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037696D0 NtCreateKey,LdrInitializeThunk, 10_2_037696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769540 NtReadFile,LdrInitializeThunk, 10_2_03769540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037695D0 NtClose,LdrInitializeThunk, 10_2_037695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769B00 NtSetValueKey, 10_2_03769B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376A3B0 NtGetContextThread, 10_2_0376A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769A20 NtResumeThread, 10_2_03769A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769A10 NtQuerySection, 10_2_03769A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769A00 NtProtectVirtualMemory, 10_2_03769A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769A80 NtOpenDirectoryObject, 10_2_03769A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769950 NtQueueApcThread, 10_2_03769950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037699D0 NtCreateProcessEx, 10_2_037699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376B040 NtSuspendThread, 10_2_0376B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769820 NtEnumerateKey, 10_2_03769820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037698F0 NtReadVirtualMemory, 10_2_037698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037698A0 NtWriteVirtualMemory, 10_2_037698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376A770 NtOpenThread, 10_2_0376A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769770 NtSetInformationFile, 10_2_03769770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769760 NtOpenProcess, 10_2_03769760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769730 NtQueryVirtualMemory, 10_2_03769730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376A710 NtOpenProcessToken, 10_2_0376A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037697A0 NtUnmapViewOfSection, 10_2_037697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769670 NtQueryInformationProcess, 10_2_03769670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769610 NtEnumerateValueKey, 10_2_03769610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769560 NtWriteFile, 10_2_03769560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376AD30 NtSetContextThread, 10_2_0376AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03769520 NtWaitForSingleObject, 10_2_03769520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037695F0 NtQueryInformationFile, 10_2_037695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F28690 NtReadFile, 10_2_02F28690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F287C0 NtAllocateVirtualMemory, 10_2_02F287C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F28710 NtClose, 10_2_02F28710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F285E0 NtCreateFile, 10_2_02F285E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2883A NtAllocateVirtualMemory, 10_2_02F2883A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2868C NtReadFile, 10_2_02F2868C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F28632 NtCreateFile, 10_2_02F28632
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2870B NtClose, 10_2_02F2870B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F285DA NtCreateFile, 10_2_02F285DA
Sample file is different than original file name gathered from version info
Source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs DWG.exe
Source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DWG.exe
Source: DWG.exe Virustotal: Detection: 50%
Source: DWG.exe ReversingLabs: Detection: 37%
Source: DWG.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DWG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DWG.exe 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Users\user\Desktop\DWG.exe Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DWG.exe Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\DWG.exe File created: C:\Users\user\AppData\Local\Temp\Cielert.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/0@10/4
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00401593 GetDiskFreeSpaceExA, 0_2_00401593
Source: DWG.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00448223 FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_00448223
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DWG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DWG.exe, svchost.exe
Source: Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
Source: Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004352E0 push eax; ret 0_2_0043530E
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00461801 push ecx; iretd 0_2_00461833
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043691C push eax; ret 0_2_0043693A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041B822 push eax; ret 5_2_0041B828
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041B82B push eax; ret 5_2_0041B892
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041B88C push eax; ret 5_2_0041B892
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004153DF pushfd ; iretd 5_2_004153E5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004195E8 push eax; retf 5_2_004195EF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_0041B7D5 push eax; ret 5_2_0041B828
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00ACD0D1 push ecx; ret 5_2_00ACD0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0377D0D1 push ecx; ret 10_2_0377D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F253DF pushfd ; iretd 10_2_02F253E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2B88C push eax; ret 10_2_02F2B892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2B822 push eax; ret 10_2_02F2B828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2B82B push eax; ret 10_2_02F2B892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F2B7D5 push eax; ret 10_2_02F2B828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_02F295E8 push eax; retf 10_2_02F295EF
PE file contains sections with non-standard names
Source: DWG.exe Static PE information: section name: .zrjfv
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0043E8B9

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del 'C:\Users\user\Desktop\DWG.exe' Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0042D406 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0042D406
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00441490 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 0_2_00441490
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00411790 IsIconic, 0_2_00411790
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00440CE0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 0_2_00440CE0
Source: C:\Users\user\Desktop\DWG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DWG.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DWG.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002F18604 second address: 0000000002F1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002F1899E second address: 0000000002F189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 4740 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004088D0 rdtsc 5_2_004088D0
Source: C:\Users\user\Desktop\DWG.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 0_2_00436310
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00449B06
Source: explorer.exe, 00000006.00000000.367292686.000000000EF3D000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000006.00000000.333633264.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}stemRoo
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0043E8B9
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_004088D0 rdtsc 5_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\DWG.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_004592D8 mov ecx, dword ptr fs:[00000030h] 0_2_004592D8
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045DA58 mov eax, dword ptr fs:[00000030h] 0_2_0045DA58
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045DA68 mov eax, dword ptr fs:[00000030h] 0_2_0045DA68
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045DA88 mov eax, dword ptr fs:[00000030h] 0_2_0045DA88
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045DB28 mov eax, dword ptr fs:[00000030h] 0_2_0045DB28
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0045DDF8 mov eax, dword ptr fs:[00000030h] 0_2_0045DDF8
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB90AF mov eax, dword ptr fs:[00000030h] 5_2_00AB90AF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAF0BF mov ecx, dword ptr fs:[00000030h] 5_2_00AAF0BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h] 5_2_00AAF0BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h] 5_2_00AAF0BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79080 mov eax, dword ptr fs:[00000030h] 5_2_00A79080
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h] 5_2_00AF3884
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h] 5_2_00AF3884
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h] 5_2_00A740E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h] 5_2_00A740E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h] 5_2_00A740E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A758EC mov eax, dword ptr fs:[00000030h] 5_2_00A758EC
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h] 5_2_00A9B8E4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h] 5_2_00A9B8E4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_00B0B8D0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h] 5_2_00A8B02A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h] 5_2_00A8B02A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h] 5_2_00A8B02A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h] 5_2_00A8B02A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h] 5_2_00AA002D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h] 5_2_00AA002D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h] 5_2_00AA002D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h] 5_2_00AA002D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h] 5_2_00AA002D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h] 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h] 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h] 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h] 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h] 5_2_00B44015
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h] 5_2_00B44015
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h] 5_2_00AF7016
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h] 5_2_00AF7016
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h] 5_2_00AF7016
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B32073 mov eax, dword ptr fs:[00000030h] 5_2_00B32073
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B41074 mov eax, dword ptr fs:[00000030h] 5_2_00B41074
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h] 5_2_00A90050
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h] 5_2_00A90050
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF69A6 mov eax, dword ptr fs:[00000030h] 5_2_00AF69A6
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA61A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h] 5_2_00AA61A0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h] 5_2_00AF51BE
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h] 5_2_00AF51BE
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h] 5_2_00AF51BE
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h] 5_2_00AF51BE
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h] 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h] 5_2_00B349A4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h] 5_2_00B349A4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h] 5_2_00B349A4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h] 5_2_00B349A4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9C182 mov eax, dword ptr fs:[00000030h] 5_2_00A9C182
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA185 mov eax, dword ptr fs:[00000030h] 5_2_00AAA185
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2990 mov eax, dword ptr fs:[00000030h] 5_2_00AA2990
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_00A7B1E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_00A7B1E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_00A7B1E1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B041E8 mov eax, dword ptr fs:[00000030h] 5_2_00B041E8
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h] 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h] 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h] 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h] 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A94120 mov ecx, dword ptr fs:[00000030h] 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h] 5_2_00AA513A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h] 5_2_00AA513A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h] 5_2_00A79100
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h] 5_2_00A79100
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h] 5_2_00A79100
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7C962 mov eax, dword ptr fs:[00000030h] 5_2_00A7C962
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h] 5_2_00A7B171
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h] 5_2_00A7B171
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h] 5_2_00A9B944
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h] 5_2_00A9B944
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h] 5_2_00A752A5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h] 5_2_00A752A5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h] 5_2_00A752A5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h] 5_2_00A752A5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h] 5_2_00A752A5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h] 5_2_00A8AAB0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h] 5_2_00A8AAB0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAFAB0 mov eax, dword ptr fs:[00000030h] 5_2_00AAFAB0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h] 5_2_00AAD294
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h] 5_2_00AAD294
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2AE4 mov eax, dword ptr fs:[00000030h] 5_2_00AA2AE4
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h] 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2ACB mov eax, dword ptr fs:[00000030h] 5_2_00AA2ACB
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h] 5_2_00A9A229
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h] 5_2_00AB4A2C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h] 5_2_00AB4A2C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A88A0A mov eax, dword ptr fs:[00000030h] 5_2_00A88A0A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h] 5_2_00B3AA16
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h] 5_2_00B3AA16
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h] 5_2_00A7AA16
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h] 5_2_00A7AA16
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A93A1C mov eax, dword ptr fs:[00000030h] 5_2_00A93A1C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h] 5_2_00A75210
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A75210 mov ecx, dword ptr fs:[00000030h] 5_2_00A75210
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h] 5_2_00A75210
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h] 5_2_00A75210
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB927A mov eax, dword ptr fs:[00000030h] 5_2_00AB927A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h] 5_2_00B2B260
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h] 5_2_00B2B260
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48A62 mov eax, dword ptr fs:[00000030h] 5_2_00B48A62
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3EA55 mov eax, dword ptr fs:[00000030h] 5_2_00B3EA55
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h] 5_2_00A79240
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h] 5_2_00A79240
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h] 5_2_00A79240
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h] 5_2_00A79240
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B04257 mov eax, dword ptr fs:[00000030h] 5_2_00B04257
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h] 5_2_00AA4BAD
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h] 5_2_00AA4BAD
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h] 5_2_00AA4BAD
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B45BA5 mov eax, dword ptr fs:[00000030h] 5_2_00B45BA5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h] 5_2_00A81B8F
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h] 5_2_00A81B8F
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2D380 mov ecx, dword ptr fs:[00000030h] 5_2_00B2D380
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3138A mov eax, dword ptr fs:[00000030h] 5_2_00B3138A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAB390 mov eax, dword ptr fs:[00000030h] 5_2_00AAB390
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2397 mov eax, dword ptr fs:[00000030h] 5_2_00AA2397
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9DBE9 mov eax, dword ptr fs:[00000030h] 5_2_00A9DBE9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h] 5_2_00AA03E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h] 5_2_00B223E3
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h] 5_2_00B223E3
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B223E3 mov eax, dword ptr fs:[00000030h] 5_2_00B223E3
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h] 5_2_00AF53CA
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h] 5_2_00AF53CA
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h] 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3131B mov eax, dword ptr fs:[00000030h] 5_2_00B3131B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7DB60 mov ecx, dword ptr fs:[00000030h] 5_2_00A7DB60
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h] 5_2_00AA3B7A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h] 5_2_00AA3B7A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7DB40 mov eax, dword ptr fs:[00000030h] 5_2_00A7DB40
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48B58 mov eax, dword ptr fs:[00000030h] 5_2_00B48B58
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7F358 mov eax, dword ptr fs:[00000030h] 5_2_00A7F358
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8849B mov eax, dword ptr fs:[00000030h] 5_2_00A8849B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B314FB mov eax, dword ptr fs:[00000030h] 5_2_00B314FB
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_00AF6CF0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_00AF6CF0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_00AF6CF0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48CD6 mov eax, dword ptr fs:[00000030h] 5_2_00B48CD6
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AABC2C mov eax, dword ptr fs:[00000030h] 5_2_00AABC2C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h] 5_2_00AF6C0A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h] 5_2_00AF6C0A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h] 5_2_00AF6C0A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h] 5_2_00AF6C0A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h] 5_2_00B31C06
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h] 5_2_00B4740D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h] 5_2_00B4740D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h] 5_2_00B4740D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9746D mov eax, dword ptr fs:[00000030h] 5_2_00A9746D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h] 5_2_00AAAC7B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h] 5_2_00B0C450
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h] 5_2_00B0C450
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA44B mov eax, dword ptr fs:[00000030h] 5_2_00AAA44B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA35A1 mov eax, dword ptr fs:[00000030h] 5_2_00AA35A1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h] 5_2_00B405AC
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h] 5_2_00B405AC
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h] 5_2_00AA1DB5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h] 5_2_00AA1DB5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h] 5_2_00AA1DB5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h] 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h] 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h] 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h] 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h] 5_2_00A72D8A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h] 5_2_00A72D8A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h] 5_2_00A72D8A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h] 5_2_00A72D8A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h] 5_2_00A72D8A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h] 5_2_00AAFD9B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h] 5_2_00AAFD9B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B28DF1 mov eax, dword ptr fs:[00000030h] 5_2_00B28DF1
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h] 5_2_00A8D5E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h] 5_2_00A8D5E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h] 5_2_00B3FDE2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h] 5_2_00B3FDE2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h] 5_2_00B3FDE2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h] 5_2_00B3FDE2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h] 5_2_00AF6DC9
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48D34 mov eax, dword ptr fs:[00000030h] 5_2_00B48D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3E539 mov eax, dword ptr fs:[00000030h] 5_2_00B3E539
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h] 5_2_00AA4D3B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h] 5_2_00AA4D3B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h] 5_2_00AA4D3B
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7AD30 mov eax, dword ptr fs:[00000030h] 5_2_00A7AD30
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AFA537 mov eax, dword ptr fs:[00000030h] 5_2_00AFA537
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h] 5_2_00A83D34
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h] 5_2_00A9C577
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h] 5_2_00A9C577
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB3D43 mov eax, dword ptr fs:[00000030h] 5_2_00AB3D43
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF3540 mov eax, dword ptr fs:[00000030h] 5_2_00AF3540
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B23D40 mov eax, dword ptr fs:[00000030h] 5_2_00B23D40
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A97D50 mov eax, dword ptr fs:[00000030h] 5_2_00A97D50
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF46A7 mov eax, dword ptr fs:[00000030h] 5_2_00AF46A7
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h] 5_2_00B40EA5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h] 5_2_00B40EA5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h] 5_2_00B40EA5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0FE87 mov eax, dword ptr fs:[00000030h] 5_2_00B0FE87
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA16E0 mov ecx, dword ptr fs:[00000030h] 5_2_00AA16E0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A876E2 mov eax, dword ptr fs:[00000030h] 5_2_00A876E2
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48ED6 mov eax, dword ptr fs:[00000030h] 5_2_00B48ED6
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA36CC mov eax, dword ptr fs:[00000030h] 5_2_00AA36CC
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB8EC7 mov eax, dword ptr fs:[00000030h] 5_2_00AB8EC7
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2FEC0 mov eax, dword ptr fs:[00000030h] 5_2_00B2FEC0
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7E620 mov eax, dword ptr fs:[00000030h] 5_2_00A7E620
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B2FE3F mov eax, dword ptr fs:[00000030h] 5_2_00B2FE3F
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h] 5_2_00A7C600
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h] 5_2_00A7C600
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h] 5_2_00A7C600
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AA8E00 mov eax, dword ptr fs:[00000030h] 5_2_00AA8E00
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h] 5_2_00AAA61C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h] 5_2_00AAA61C
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B31608 mov eax, dword ptr fs:[00000030h] 5_2_00B31608
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8766D mov eax, dword ptr fs:[00000030h] 5_2_00A8766D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h] 5_2_00A9AE73
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h] 5_2_00A9AE73
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h] 5_2_00A9AE73
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h] 5_2_00A9AE73
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h] 5_2_00A9AE73
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h] 5_2_00A87E41
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h] 5_2_00B3AE44
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h] 5_2_00B3AE44
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h] 5_2_00AF7794
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h] 5_2_00AF7794
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h] 5_2_00AF7794
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A88794 mov eax, dword ptr fs:[00000030h] 5_2_00A88794
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AB37F5 mov eax, dword ptr fs:[00000030h] 5_2_00AB37F5
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h] 5_2_00A74F2E
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h] 5_2_00A74F2E
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h] 5_2_00A9B73D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h] 5_2_00A9B73D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAE730 mov eax, dword ptr fs:[00000030h] 5_2_00AAE730
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h] 5_2_00B0FF10
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h] 5_2_00B0FF10
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h] 5_2_00AAA70E
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h] 5_2_00AAA70E
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h] 5_2_00B4070D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h] 5_2_00B4070D
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A9F716 mov eax, dword ptr fs:[00000030h] 5_2_00A9F716
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8FF60 mov eax, dword ptr fs:[00000030h] 5_2_00A8FF60
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00B48F6A mov eax, dword ptr fs:[00000030h] 5_2_00B48F6A
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00A8EF40 mov eax, dword ptr fs:[00000030h] 5_2_00A8EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h] 10_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h] 10_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372DB60 mov ecx, dword ptr fs:[00000030h] 10_2_0372DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F8B58 mov eax, dword ptr fs:[00000030h] 10_2_037F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372F358 mov eax, dword ptr fs:[00000030h] 10_2_0372F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372DB40 mov eax, dword ptr fs:[00000030h] 10_2_0372DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E131B mov eax, dword ptr fs:[00000030h] 10_2_037E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h] 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h] 10_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374DBE9 mov eax, dword ptr fs:[00000030h] 10_2_0374DBE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h] 10_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h] 10_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037D23E3 mov eax, dword ptr fs:[00000030h] 10_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h] 10_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h] 10_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h] 10_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h] 10_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h] 10_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F5BA5 mov eax, dword ptr fs:[00000030h] 10_2_037F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03752397 mov eax, dword ptr fs:[00000030h] 10_2_03752397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375B390 mov eax, dword ptr fs:[00000030h] 10_2_0375B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E138A mov eax, dword ptr fs:[00000030h] 10_2_037E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h] 10_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h] 10_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037DD380 mov ecx, dword ptr fs:[00000030h] 10_2_037DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h] 10_2_0375138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h] 10_2_0375138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h] 10_2_0375138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0376927A mov eax, dword ptr fs:[00000030h] 10_2_0376927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h] 10_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h] 10_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037F8A62 mov eax, dword ptr fs:[00000030h] 10_2_037F8A62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037EEA55 mov eax, dword ptr fs:[00000030h] 10_2_037EEA55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037B4257 mov eax, dword ptr fs:[00000030h] 10_2_037B4257
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h] 10_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h] 10_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h] 10_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h] 10_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h] 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h] 10_2_03764A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h] 10_2_03764A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h] 10_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h] 10_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03725210 mov ecx, dword ptr fs:[00000030h] 10_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h] 10_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h] 10_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h] 10_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h] 10_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03743A1C mov eax, dword ptr fs:[00000030h] 10_2_03743A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h] 10_2_037EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h] 10_2_037EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03738A0A mov eax, dword ptr fs:[00000030h] 10_2_03738A0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03752AE4 mov eax, dword ptr fs:[00000030h] 10_2_03752AE4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h] 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03752ACB mov eax, dword ptr fs:[00000030h] 10_2_03752ACB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375FAB0 mov eax, dword ptr fs:[00000030h] 10_2_0375FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h] 10_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h] 10_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h] 10_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h] 10_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h] 10_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h] 10_2_0375D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h] 10_2_0375D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h] 10_2_0372B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h] 10_2_0372B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372C962 mov eax, dword ptr fs:[00000030h] 10_2_0372C962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h] 10_2_0374B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h] 10_2_0374B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375513A mov eax, dword ptr fs:[00000030h] 10_2_0375513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0375513A mov eax, dword ptr fs:[00000030h] 10_2_0375513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h] 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h] 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h] 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h] 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03744120 mov ecx, dword ptr fs:[00000030h] 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h] 10_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h] 10_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h] 10_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037B41E8 mov eax, dword ptr fs:[00000030h] 10_2_037B41E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h] 10_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h] 10_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h] 10_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h] 10_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h] 10_2_037499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h] 10_2_037499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_037499BF mov eax, dword ptr fs:[00000030h] 10_2_037499BF
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DWG.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DWG.exe Code function: 5_2_00409B40 LdrLoadDll, 5_2_00409B40
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043BAD2 SetUnhandledExceptionFilter, 0_2_0043BAD2
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043BAE4 SetUnhandledExceptionFilter, 0_2_0043BAE4

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.hcbg.online
Source: C:\Windows\explorer.exe Domain query: www.knowsyourdream.com
Source: C:\Windows\explorer.exe Network Connect: 198.187.31.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.216.113.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jntycy.com
Source: C:\Windows\explorer.exe Domain query: www.publiccoins.online
Source: C:\Windows\explorer.exe Domain query: www.theravewizards.com
Source: C:\Windows\explorer.exe Domain query: www.thebrandstudiointernational.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.215 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 5.157.87.204 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DWG.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 280000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DWG.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DWG.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DWG.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DWG.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DWG.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DWG.exe Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.331932782.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.362308444.0000000005E10000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0043601C
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0043601C
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_0044D2B5 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_0044D2B5

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\DWG.exe Code function: 0_2_00411BFD VirtualProtect,glGenTextures,glBindTexture,glTexParameteri,glTexParameteri,glTexParameteri,glTexParameteri,glTexImage2D,glBindTexture,glBegin,glArrayElement,LineDDA, 0_2_00411BFD
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs