Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419D50 NtCreateFile, | 3_2_00419D50 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419E00 NtReadFile, | 3_2_00419E00 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419E80 NtClose, | 3_2_00419E80 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419F30 NtAllocateVirtualMemory, | 3_2_00419F30 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419D4B NtCreateFile, | 3_2_00419D4B |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419DFC NtReadFile, | 3_2_00419DFC |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9840 NtDelayExecution,LdrInitializeThunk, | 8_2_045D9840 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9860 NtQuerySystemInformation,LdrInitializeThunk, | 8_2_045D9860 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9540 NtReadFile,LdrInitializeThunk, | 8_2_045D9540 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 8_2_045D9910 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D95D0 NtClose,LdrInitializeThunk, | 8_2_045D95D0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D99A0 NtCreateSection,LdrInitializeThunk, | 8_2_045D99A0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A50 NtCreateFile,LdrInitializeThunk, | 8_2_045D9A50 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9650 NtQueryValueKey,LdrInitializeThunk, | 8_2_045D9650 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9660 NtAllocateVirtualMemory,LdrInitializeThunk, | 8_2_045D9660 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D96D0 NtCreateKey,LdrInitializeThunk, | 8_2_045D96D0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 8_2_045D96E0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9710 NtQueryInformationToken,LdrInitializeThunk, | 8_2_045D9710 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9FE0 NtCreateMutant,LdrInitializeThunk, | 8_2_045D9FE0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9780 NtMapViewOfSection,LdrInitializeThunk, | 8_2_045D9780 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DB040 NtSuspendThread, | 8_2_045DB040 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9820 NtEnumerateKey, | 8_2_045D9820 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D98F0 NtReadVirtualMemory, | 8_2_045D98F0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D98A0 NtWriteVirtualMemory, | 8_2_045D98A0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9950 NtQueueApcThread, | 8_2_045D9950 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9560 NtWriteFile, | 8_2_045D9560 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DAD30 NtSetContextThread, | 8_2_045DAD30 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9520 NtWaitForSingleObject, | 8_2_045D9520 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D99D0 NtCreateProcessEx, | 8_2_045D99D0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D95F0 NtQueryInformationFile, | 8_2_045D95F0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9670 NtQueryInformationProcess, | 8_2_045D9670 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9610 NtEnumerateValueKey, | 8_2_045D9610 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A10 NtQuerySection, | 8_2_045D9A10 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A00 NtProtectVirtualMemory, | 8_2_045D9A00 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A20 NtResumeThread, | 8_2_045D9A20 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A80 NtOpenDirectoryObject, | 8_2_045D9A80 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9770 NtSetInformationFile, | 8_2_045D9770 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA770 NtOpenThread, | 8_2_045DA770 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9760 NtOpenProcess, | 8_2_045D9760 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA710 NtOpenProcessToken, | 8_2_045DA710 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9B00 NtSetValueKey, | 8_2_045D9B00 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9730 NtQueryVirtualMemory, | 8_2_045D9730 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA3B0 NtGetContextThread, | 8_2_045DA3B0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D97A0 NtUnmapViewOfSection, | 8_2_045D97A0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189D50 NtCreateFile, | 8_2_00189D50 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189E00 NtReadFile, | 8_2_00189E00 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189E80 NtClose, | 8_2_00189E80 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189F30 NtAllocateVirtualMemory, | 8_2_00189F30 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189D4B NtCreateFile, | 8_2_00189D4B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189DFC NtReadFile, | 8_2_00189DFC |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B58782 | 1_2_00B58782 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B55D17 | 1_2_00B55D17 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B54765 | 1_2_00B54765 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0160C1D0 | 1_2_0160C1D0 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_01609890 | 1_2_01609890 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420F30 | 1_2_06420F30 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06427C80 | 1_2_06427C80 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642E228 | 1_2_0642E228 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420040 | 1_2_06420040 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064280F8 | 1_2_064280F8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642C1D8 | 1_2_0642C1D8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06429600 | 1_2_06429600 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06421E18 | 1_2_06421E18 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06421E28 | 1_2_06421E28 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420E38 | 1_2_06420E38 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064236A9 | 1_2_064236A9 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064236B8 | 1_2_064236B8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06427C72 | 1_2_06427C72 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642CC10 | 1_2_0642CC10 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064234C8 | 1_2_064234C8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064234D8 | 1_2_064234D8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5B3F5 | 1_2_00B5B3F5 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B56759 | 1_2_00B56759 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00401030 | 3_2_00401030 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041D21B | 3_2_0041D21B |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041DBED | 3_2_0041DBED |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00409DEB | 3_2_00409DEB |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402D87 | 3_2_00402D87 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402D90 | 3_2_00402D90 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00409E30 | 3_2_00409E30 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CF96 | 3_2_0041CF96 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402FB0 | 3_2_00402FB0 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB5D17 | 3_2_00FB5D17 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB8782 | 3_2_00FB8782 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB4765 | 3_2_00FB4765 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBB3F5 | 3_2_00FBB3F5 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB6759 | 3_2_00FB6759 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651002 | 8_2_04651002 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB090 | 8_2_045AB090 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04661D55 | 8_2_04661D55 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459F900 | 8_2_0459F900 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04590D20 | 8_2_04590D20 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B6E30 | 8_2_045B6E30 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CEBB0 | 8_2_045CEBB0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018D21B | 8_2_0018D21B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172D90 | 8_2_00172D90 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172D87 | 8_2_00172D87 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00179DEB | 8_2_00179DEB |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00179E30 | 8_2_00179E30 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CF96 | 8_2_0018CF96 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172FB0 | 8_2_00172FB0 |
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5CFB8 push edx; ret | 1_2_00B5CFF4 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5C8C0 push eax; retf | 1_2_00B5C861 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5DBCA push eax; retf | 1_2_00B5DB6B |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5D21C push eax; retf | 1_2_00B5D1BD |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5D966 push edx; ret | 1_2_00B5D9A2 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5C65C push edx; ret | 1_2_00B5C698 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642674D push es; ret | 1_2_06426754 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06426799 push es; ret | 1_2_0642679C |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00401028 push ds; ret | 3_2_0040102C |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004171DE push 974CB969h; retf | 3_2_004171E6 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004172CC push edx; ret | 3_2_004172D8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00416BC9 push es; retf | 3_2_00416BDC |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004163B0 push ss; ret | 3_2_004163C6 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEF2 push eax; ret | 3_2_0041CEF8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEFB push eax; ret | 3_2_0041CF62 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEA5 push eax; ret | 3_2_0041CEF8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CF5C push eax; ret | 3_2_0041CF62 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBC8C0 push eax; retf | 3_2_00FBC861 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBD966 push edx; ret | 3_2_00FBD9A2 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBD21C push eax; retf | 3_2_00FBD1BD |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBDBCA push eax; retf | 3_2_00FBDB6B |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBC65C push edx; ret | 3_2_00FBC698 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBCFB8 push edx; ret | 3_2_00FBCFF4 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045ED0D1 push ecx; ret | 8_2_045ED0E4 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001871DE push 974CB969h; retf | 8_2_001871E6 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001872CC push edx; ret | 8_2_001872D8 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001863B0 push ss; ret | 8_2_001863C6 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00186BC9 push es; retf | 8_2_00186BDC |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEA5 push eax; ret | 8_2_0018CEF8 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEFB push eax; ret | 8_2_0018CF62 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEF2 push eax; ret | 8_2_0018CEF8 |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systray.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp | Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000004.00000002.501948287.0000000003767000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00 |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp | Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: explorer.exe, 00000004.00000000.237589481.00000000011B3000.00000004.00000020.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0 |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000% |
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}## |
Source: explorer.exe, 00000004.00000002.508140093.00000000053C4000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\" |
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002 |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04661074 mov eax, dword ptr fs:[00000030h] | 8_2_04661074 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04652073 mov eax, dword ptr fs:[00000030h] | 8_2_04652073 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] | 8_2_0462C450 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] | 8_2_0462C450 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B746D mov eax, dword ptr fs:[00000030h] | 8_2_045B746D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] | 8_2_04651C06 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] | 8_2_0466740D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] | 8_2_0466740D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] | 8_2_0466740D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] | 8_2_045AB02A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] | 8_2_045AB02A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] | 8_2_045AB02A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] | 8_2_045AB02A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CBC2C mov eax, dword ptr fs:[00000030h] | 8_2_045CBC2C |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] | 8_2_04664015 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] | 8_2_04664015 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] | 8_2_04617016 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] | 8_2_04617016 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] | 8_2_04617016 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_046514FB mov eax, dword ptr fs:[00000030h] | 8_2_046514FB |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668CD6 mov eax, dword ptr fs:[00000030h] | 8_2_04668CD6 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599080 mov eax, dword ptr fs:[00000030h] | 8_2_04599080 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov ecx, dword ptr fs:[00000030h] | 8_2_045CF0BF |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] | 8_2_045CF0BF |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] | 8_2_045CF0BF |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] | 8_2_04613884 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] | 8_2_04613884 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D90AF mov eax, dword ptr fs:[00000030h] | 8_2_045D90AF |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B7D50 mov eax, dword ptr fs:[00000030h] | 8_2_045B7D50 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D3D43 mov eax, dword ptr fs:[00000030h] | 8_2_045D3D43 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] | 8_2_045BB944 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] | 8_2_045BB944 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613540 mov eax, dword ptr fs:[00000030h] | 8_2_04613540 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] | 8_2_0459B171 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] | 8_2_0459B171 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] | 8_2_045BC577 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] | 8_2_045BC577 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668D34 mov eax, dword ptr fs:[00000030h] | 8_2_04668D34 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] | 8_2_04599100 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] | 8_2_04599100 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] | 8_2_04599100 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] | 8_2_045C513A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] | 8_2_045C513A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] | 8_2_045C4D3B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] | 8_2_045C4D3B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] | 8_2_045C4D3B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459AD30 mov eax, dword ptr fs:[00000030h] | 8_2_0459AD30 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov ecx, dword ptr fs:[00000030h] | 8_2_045B4120 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04648DF1 mov eax, dword ptr fs:[00000030h] | 8_2_04648DF1 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] | 8_2_0459B1E1 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] | 8_2_0459B1E1 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] | 8_2_0459B1E1 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] | 8_2_04592D8A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] | 8_2_04592D8A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] | 8_2_04592D8A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] | 8_2_04592D8A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] | 8_2_04592D8A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CA185 mov eax, dword ptr fs:[00000030h] | 8_2_045CA185 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC182 mov eax, dword ptr fs:[00000030h] | 8_2_045BC182 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C35A1 mov eax, dword ptr fs:[00000030h] | 8_2_045C35A1 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] | 8_2_0464B260 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] | 8_2_0464B260 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] | 8_2_04599240 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] | 8_2_04599240 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] | 8_2_04599240 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] | 8_2_04599240 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D927A mov eax, dword ptr fs:[00000030h] | 8_2_045D927A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464FE3F mov eax, dword ptr fs:[00000030h] | 8_2_0464FE3F |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C36CC mov eax, dword ptr fs:[00000030h] | 8_2_045C36CC |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464FEC0 mov eax, dword ptr fs:[00000030h] | 8_2_0464FEC0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668ED6 mov eax, dword ptr fs:[00000030h] | 8_2_04668ED6 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C16E0 mov ecx, dword ptr fs:[00000030h] | 8_2_045C16E0 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] | 8_2_04660EA5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] | 8_2_04660EA5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] | 8_2_04660EA5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_046146A7 mov eax, dword ptr fs:[00000030h] | 8_2_046146A7 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] | 8_2_045CD294 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] | 8_2_045CD294 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FE87 mov eax, dword ptr fs:[00000030h] | 8_2_0462FE87 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] | 8_2_045952A5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] | 8_2_045952A5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] | 8_2_045952A5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] | 8_2_045952A5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] | 8_2_045952A5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668F6A mov eax, dword ptr fs:[00000030h] | 8_2_04668F6A |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AEF40 mov eax, dword ptr fs:[00000030h] | 8_2_045AEF40 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668B58 mov eax, dword ptr fs:[00000030h] | 8_2_04668B58 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] | 8_2_0466070D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] | 8_2_0466070D |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CE730 mov eax, dword ptr fs:[00000030h] | 8_2_045CE730 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] | 8_2_0462FF10 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] | 8_2_0462FF10 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] | 8_2_04594F2E |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] | 8_2_04594F2E |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0465131B mov eax, dword ptr fs:[00000030h] | 8_2_0465131B |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04665BA5 mov eax, dword ptr fs:[00000030h] | 8_2_04665BA5 |
Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0465138A mov eax, dword ptr fs:[00000030h] | 8_2_0465138A |