| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
| Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
| Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
| Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419D50 NtCreateFile, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419E00 NtReadFile, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419E80 NtClose, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419F30 NtAllocateVirtualMemory, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419D4B NtCreateFile, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00419DFC NtReadFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9840 NtDelayExecution,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9860 NtQuerySystemInformation,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9540 NtReadFile,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D95D0 NtClose,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D99A0 NtCreateSection,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A50 NtCreateFile,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9650 NtQueryValueKey,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9660 NtAllocateVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D96D0 NtCreateKey,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D96E0 NtFreeVirtualMemory,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9710 NtQueryInformationToken,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9FE0 NtCreateMutant,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9780 NtMapViewOfSection,LdrInitializeThunk, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DB040 NtSuspendThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9820 NtEnumerateKey, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D98F0 NtReadVirtualMemory, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D98A0 NtWriteVirtualMemory, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9950 NtQueueApcThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9560 NtWriteFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DAD30 NtSetContextThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9520 NtWaitForSingleObject, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D99D0 NtCreateProcessEx, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D95F0 NtQueryInformationFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9670 NtQueryInformationProcess, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9610 NtEnumerateValueKey, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A10 NtQuerySection, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A00 NtProtectVirtualMemory, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A20 NtResumeThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9A80 NtOpenDirectoryObject, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9770 NtSetInformationFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA770 NtOpenThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9760 NtOpenProcess, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA710 NtOpenProcessToken, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9B00 NtSetValueKey, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D9730 NtQueryVirtualMemory, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045DA3B0 NtGetContextThread, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D97A0 NtUnmapViewOfSection, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189D50 NtCreateFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189E00 NtReadFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189E80 NtClose, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189F30 NtAllocateVirtualMemory, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189D4B NtCreateFile, |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00189DFC NtReadFile, |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B58782 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B55D17 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B54765 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0160C1D0 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_01609890 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420F30 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06427C80 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642E228 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420040 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064280F8 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642C1D8 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06429600 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06421E18 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06421E28 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06420E38 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064236A9 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064236B8 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06427C72 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642CC10 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064234C8 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_064234D8 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5B3F5 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B56759 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00401030 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041D21B |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041DBED |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00409DEB |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402D87 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402D90 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00409E30 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CF96 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00402FB0 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB5D17 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB8782 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB4765 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBB3F5 |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FB6759 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651002 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB090 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04661D55 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459F900 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04590D20 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B6E30 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CEBB0 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018D21B |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172D90 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172D87 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00179DEB |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00179E30 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CF96 |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00172FB0 |
| Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5CFB8 push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5C8C0 push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5DBCA push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5D21C push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5D966 push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_00B5C65C push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_0642674D push es; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 1_2_06426799 push es; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00401028 push ds; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004171DE push 974CB969h; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004172CC push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00416BC9 push es; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_004163B0 push ss; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEF2 push eax; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEFB push eax; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CEA5 push eax; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_0041CF5C push eax; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBC8C0 push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBD966 push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBD21C push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBDBCA push eax; retf |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBC65C push edx; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Code function: 3_2_00FBCFB8 push edx; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045ED0D1 push ecx; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001871DE push 974CB969h; retf |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001872CC push edx; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_001863B0 push ss; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_00186BC9 push es; retf |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEA5 push eax; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEFB push eax; ret |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0018CEF2 push eax; ret |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\ox87DNNM8d.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\SysWOW64\systray.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
| Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
| Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
| Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: vmware |
| Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp | Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
| Source: explorer.exe, 00000004.00000002.501948287.0000000003767000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00 |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
| Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp | Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
| Source: explorer.exe, 00000004.00000000.237589481.00000000011B3000.00000004.00000020.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0 |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
| Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000% |
| Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}## |
| Source: explorer.exe, 00000004.00000002.508140093.00000000053C4000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\" |
| Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
| Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
| Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002 |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
| Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
| Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04661074 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04652073 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B746D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CBC2C mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_046514FB mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668CD6 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599080 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov ecx, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D90AF mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B7D50 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D3D43 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04613540 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668D34 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459AD30 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045B4120 mov ecx, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04648DF1 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CA185 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045BC182 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C35A1 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045D927A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464FE3F mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C36CC mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0464FEC0 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668ED6 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045C16E0 mov ecx, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_046146A7 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FE87 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668F6A mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045AEF40 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04668B58 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_045CE730 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0465131B mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_04665BA5 mov eax, dword ptr fs:[00000030h] |
| Source: C:\Windows\SysWOW64\systray.exe | Code function: 8_2_0465138A mov eax, dword ptr fs:[00000030h] |
Play interactive tour
Edit tour
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node