Source: explorer.exe, 00000005.00000000.241683015.0000000008A05000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: http://instagram.com/casarpontocom |
Source: DNPr7t0GMY.exe, 00000002.00000002.220254281.00000000032E1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: http://www.pinterest.com/casarpontocom |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://embed.typeform.com/embed.js |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://plus.google.com/ |
Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/cha-de-panela/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.casar.com/assunto/organizacao/ |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.googletagmanager.com/gtm.js?id= |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC |
Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmp | String found in binary or memory: https://www.youtube.com/casarpontocom |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_004181B0 NtCreateFile, | 4_2_004181B0 |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_00418260 NtReadFile, | 4_2_00418260 |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_004182E0 NtClose, | 4_2_004182E0 |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_00418390 NtAllocateVirtualMemory, | 4_2_00418390 |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_004182AC NtReadFile, | 4_2_004182AC |
Source: C:\Users\user\Desktop\DNPr7t0GMY.exe | Code function: 4_2_0041838B NtAllocateVirtualMemory, | 4_2_0041838B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D195D0 NtClose,LdrInitializeThunk, | 10_2_04D195D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19540 NtReadFile,LdrInitializeThunk, | 10_2_04D19540 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D196D0 NtCreateKey,LdrInitializeThunk, | 10_2_04D196D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D196E0 NtFreeVirtualMemory,LdrInitializeThunk, | 10_2_04D196E0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19650 NtQueryValueKey,LdrInitializeThunk, | 10_2_04D19650 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19660 NtAllocateVirtualMemory,LdrInitializeThunk, | 10_2_04D19660 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19FE0 NtCreateMutant,LdrInitializeThunk, | 10_2_04D19FE0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19780 NtMapViewOfSection,LdrInitializeThunk, | 10_2_04D19780 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19710 NtQueryInformationToken,LdrInitializeThunk, | 10_2_04D19710 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19840 NtDelayExecution,LdrInitializeThunk, | 10_2_04D19840 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19860 NtQuerySystemInformation,LdrInitializeThunk, | 10_2_04D19860 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D199A0 NtCreateSection,LdrInitializeThunk, | 10_2_04D199A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 10_2_04D19910 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19A50 NtCreateFile,LdrInitializeThunk, | 10_2_04D19A50 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D195F0 NtQueryInformationFile, | 10_2_04D195F0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19560 NtWriteFile, | 10_2_04D19560 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1AD30 NtSetContextThread, | 10_2_04D1AD30 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19520 NtWaitForSingleObject, | 10_2_04D19520 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19670 NtQueryInformationProcess, | 10_2_04D19670 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19610 NtEnumerateValueKey, | 10_2_04D19610 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D197A0 NtUnmapViewOfSection, | 10_2_04D197A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1A770 NtOpenThread, | 10_2_04D1A770 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19770 NtSetInformationFile, | 10_2_04D19770 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19760 NtOpenProcess, | 10_2_04D19760 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1A710 NtOpenProcessToken, | 10_2_04D1A710 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19730 NtQueryVirtualMemory, | 10_2_04D19730 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D198F0 NtReadVirtualMemory, | 10_2_04D198F0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D198A0 NtWriteVirtualMemory, | 10_2_04D198A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1B040 NtSuspendThread, | 10_2_04D1B040 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19820 NtEnumerateKey, | 10_2_04D19820 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D199D0 NtCreateProcessEx, | 10_2_04D199D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19950 NtQueueApcThread, | 10_2_04D19950 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19A80 NtOpenDirectoryObject, | 10_2_04D19A80 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19A10 NtQuerySection, | 10_2_04D19A10 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19A00 NtProtectVirtualMemory, | 10_2_04D19A00 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19A20 NtResumeThread, | 10_2_04D19A20 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1A3B0 NtGetContextThread, | 10_2_04D1A3B0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D19B00 NtSetValueKey, | 10_2_04D19B00 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_007981B0 NtCreateFile, | 10_2_007981B0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_00798260 NtReadFile, | 10_2_00798260 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_007982E0 NtClose, | 10_2_007982E0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_00798390 NtAllocateVirtualMemory, | 10_2_00798390 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_007982AC NtReadFile, | 10_2_007982AC |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_0079838B NtAllocateVirtualMemory, | 10_2_0079838B |
Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8CD6 mov eax, dword ptr fs:[00000030h] | 10_2_04DA8CD6 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D914FB mov eax, dword ptr fs:[00000030h] | 10_2_04D914FB |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56CF0 mov eax, dword ptr fs:[00000030h] | 10_2_04D56CF0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56CF0 mov eax, dword ptr fs:[00000030h] | 10_2_04D56CF0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56CF0 mov eax, dword ptr fs:[00000030h] | 10_2_04D56CF0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE849B mov eax, dword ptr fs:[00000030h] | 10_2_04CE849B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6C450 mov eax, dword ptr fs:[00000030h] | 10_2_04D6C450 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6C450 mov eax, dword ptr fs:[00000030h] | 10_2_04D6C450 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A44B mov eax, dword ptr fs:[00000030h] | 10_2_04D0A44B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF746D mov eax, dword ptr fs:[00000030h] | 10_2_04CF746D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA740D mov eax, dword ptr fs:[00000030h] | 10_2_04DA740D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA740D mov eax, dword ptr fs:[00000030h] | 10_2_04DA740D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA740D mov eax, dword ptr fs:[00000030h] | 10_2_04DA740D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91C06 mov eax, dword ptr fs:[00000030h] | 10_2_04D91C06 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56C0A mov eax, dword ptr fs:[00000030h] | 10_2_04D56C0A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56C0A mov eax, dword ptr fs:[00000030h] | 10_2_04D56C0A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56C0A mov eax, dword ptr fs:[00000030h] | 10_2_04D56C0A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56C0A mov eax, dword ptr fs:[00000030h] | 10_2_04D56C0A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0BC2C mov eax, dword ptr fs:[00000030h] | 10_2_04D0BC2C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov eax, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov eax, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov eax, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov ecx, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov eax, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D56DC9 mov eax, dword ptr fs:[00000030h] | 10_2_04D56DC9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D88DF1 mov eax, dword ptr fs:[00000030h] | 10_2_04D88DF1 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CED5E0 mov eax, dword ptr fs:[00000030h] | 10_2_04CED5E0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CED5E0 mov eax, dword ptr fs:[00000030h] | 10_2_04CED5E0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9FDE2 mov eax, dword ptr fs:[00000030h] | 10_2_04D9FDE2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9FDE2 mov eax, dword ptr fs:[00000030h] | 10_2_04D9FDE2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9FDE2 mov eax, dword ptr fs:[00000030h] | 10_2_04D9FDE2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9FDE2 mov eax, dword ptr fs:[00000030h] | 10_2_04D9FDE2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD2D8A mov eax, dword ptr fs:[00000030h] | 10_2_04CD2D8A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD2D8A mov eax, dword ptr fs:[00000030h] | 10_2_04CD2D8A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD2D8A mov eax, dword ptr fs:[00000030h] | 10_2_04CD2D8A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD2D8A mov eax, dword ptr fs:[00000030h] | 10_2_04CD2D8A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD2D8A mov eax, dword ptr fs:[00000030h] | 10_2_04CD2D8A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0FD9B mov eax, dword ptr fs:[00000030h] | 10_2_04D0FD9B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0FD9B mov eax, dword ptr fs:[00000030h] | 10_2_04D0FD9B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02581 mov eax, dword ptr fs:[00000030h] | 10_2_04D02581 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02581 mov eax, dword ptr fs:[00000030h] | 10_2_04D02581 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02581 mov eax, dword ptr fs:[00000030h] | 10_2_04D02581 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02581 mov eax, dword ptr fs:[00000030h] | 10_2_04D02581 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D01DB5 mov eax, dword ptr fs:[00000030h] | 10_2_04D01DB5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D01DB5 mov eax, dword ptr fs:[00000030h] | 10_2_04D01DB5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D01DB5 mov eax, dword ptr fs:[00000030h] | 10_2_04D01DB5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D035A1 mov eax, dword ptr fs:[00000030h] | 10_2_04D035A1 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA05AC mov eax, dword ptr fs:[00000030h] | 10_2_04DA05AC |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA05AC mov eax, dword ptr fs:[00000030h] | 10_2_04DA05AC |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D13D43 mov eax, dword ptr fs:[00000030h] | 10_2_04D13D43 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D53540 mov eax, dword ptr fs:[00000030h] | 10_2_04D53540 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF7D50 mov eax, dword ptr fs:[00000030h] | 10_2_04CF7D50 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFC577 mov eax, dword ptr fs:[00000030h] | 10_2_04CFC577 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFC577 mov eax, dword ptr fs:[00000030h] | 10_2_04CFC577 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9E539 mov eax, dword ptr fs:[00000030h] | 10_2_04D9E539 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D5A537 mov eax, dword ptr fs:[00000030h] | 10_2_04D5A537 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04D3B mov eax, dword ptr fs:[00000030h] | 10_2_04D04D3B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04D3B mov eax, dword ptr fs:[00000030h] | 10_2_04D04D3B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04D3B mov eax, dword ptr fs:[00000030h] | 10_2_04D04D3B |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8D34 mov eax, dword ptr fs:[00000030h] | 10_2_04DA8D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE3D34 mov eax, dword ptr fs:[00000030h] | 10_2_04CE3D34 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDAD30 mov eax, dword ptr fs:[00000030h] | 10_2_04CDAD30 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8ED6 mov eax, dword ptr fs:[00000030h] | 10_2_04DA8ED6 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D18EC7 mov eax, dword ptr fs:[00000030h] | 10_2_04D18EC7 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D8FEC0 mov eax, dword ptr fs:[00000030h] | 10_2_04D8FEC0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D036CC mov eax, dword ptr fs:[00000030h] | 10_2_04D036CC |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE76E2 mov eax, dword ptr fs:[00000030h] | 10_2_04CE76E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D016E0 mov ecx, dword ptr fs:[00000030h] | 10_2_04D016E0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6FE87 mov eax, dword ptr fs:[00000030h] | 10_2_04D6FE87 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D546A7 mov eax, dword ptr fs:[00000030h] | 10_2_04D546A7 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA0EA5 mov eax, dword ptr fs:[00000030h] | 10_2_04DA0EA5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA0EA5 mov eax, dword ptr fs:[00000030h] | 10_2_04DA0EA5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA0EA5 mov eax, dword ptr fs:[00000030h] | 10_2_04DA0EA5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE7E41 mov eax, dword ptr fs:[00000030h] | 10_2_04CE7E41 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9AE44 mov eax, dword ptr fs:[00000030h] | 10_2_04D9AE44 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9AE44 mov eax, dword ptr fs:[00000030h] | 10_2_04D9AE44 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE766D mov eax, dword ptr fs:[00000030h] | 10_2_04CE766D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFAE73 mov eax, dword ptr fs:[00000030h] | 10_2_04CFAE73 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFAE73 mov eax, dword ptr fs:[00000030h] | 10_2_04CFAE73 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFAE73 mov eax, dword ptr fs:[00000030h] | 10_2_04CFAE73 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFAE73 mov eax, dword ptr fs:[00000030h] | 10_2_04CFAE73 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFAE73 mov eax, dword ptr fs:[00000030h] | 10_2_04CFAE73 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A61C mov eax, dword ptr fs:[00000030h] | 10_2_04D0A61C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A61C mov eax, dword ptr fs:[00000030h] | 10_2_04D0A61C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDC600 mov eax, dword ptr fs:[00000030h] | 10_2_04CDC600 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDC600 mov eax, dword ptr fs:[00000030h] | 10_2_04CDC600 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDC600 mov eax, dword ptr fs:[00000030h] | 10_2_04CDC600 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D08E00 mov eax, dword ptr fs:[00000030h] | 10_2_04D08E00 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D91608 mov eax, dword ptr fs:[00000030h] | 10_2_04D91608 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D8FE3F mov eax, dword ptr fs:[00000030h] | 10_2_04D8FE3F |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDE620 mov eax, dword ptr fs:[00000030h] | 10_2_04CDE620 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D137F5 mov eax, dword ptr fs:[00000030h] | 10_2_04D137F5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57794 mov eax, dword ptr fs:[00000030h] | 10_2_04D57794 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57794 mov eax, dword ptr fs:[00000030h] | 10_2_04D57794 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57794 mov eax, dword ptr fs:[00000030h] | 10_2_04D57794 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE8794 mov eax, dword ptr fs:[00000030h] | 10_2_04CE8794 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEEF40 mov eax, dword ptr fs:[00000030h] | 10_2_04CEEF40 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEFF60 mov eax, dword ptr fs:[00000030h] | 10_2_04CEFF60 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8F6A mov eax, dword ptr fs:[00000030h] | 10_2_04DA8F6A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6FF10 mov eax, dword ptr fs:[00000030h] | 10_2_04D6FF10 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6FF10 mov eax, dword ptr fs:[00000030h] | 10_2_04D6FF10 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA070D mov eax, dword ptr fs:[00000030h] | 10_2_04DA070D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA070D mov eax, dword ptr fs:[00000030h] | 10_2_04DA070D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFF716 mov eax, dword ptr fs:[00000030h] | 10_2_04CFF716 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A70E mov eax, dword ptr fs:[00000030h] | 10_2_04D0A70E |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A70E mov eax, dword ptr fs:[00000030h] | 10_2_04D0A70E |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0E730 mov eax, dword ptr fs:[00000030h] | 10_2_04D0E730 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD4F2E mov eax, dword ptr fs:[00000030h] | 10_2_04CD4F2E |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD4F2E mov eax, dword ptr fs:[00000030h] | 10_2_04CD4F2E |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov eax, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov ecx, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov eax, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov eax, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov eax, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D6B8D0 mov eax, dword ptr fs:[00000030h] | 10_2_04D6B8D0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD58EC mov eax, dword ptr fs:[00000030h] | 10_2_04CD58EC |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9080 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9080 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D53884 mov eax, dword ptr fs:[00000030h] | 10_2_04D53884 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D53884 mov eax, dword ptr fs:[00000030h] | 10_2_04D53884 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0F0BF mov ecx, dword ptr fs:[00000030h] | 10_2_04D0F0BF |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0F0BF mov eax, dword ptr fs:[00000030h] | 10_2_04D0F0BF |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0F0BF mov eax, dword ptr fs:[00000030h] | 10_2_04D0F0BF |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D020A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D020A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D190AF mov eax, dword ptr fs:[00000030h] | 10_2_04D190AF |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF0050 mov eax, dword ptr fs:[00000030h] | 10_2_04CF0050 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF0050 mov eax, dword ptr fs:[00000030h] | 10_2_04CF0050 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D92073 mov eax, dword ptr fs:[00000030h] | 10_2_04D92073 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA1074 mov eax, dword ptr fs:[00000030h] | 10_2_04DA1074 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57016 mov eax, dword ptr fs:[00000030h] | 10_2_04D57016 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57016 mov eax, dword ptr fs:[00000030h] | 10_2_04D57016 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D57016 mov eax, dword ptr fs:[00000030h] | 10_2_04D57016 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA4015 mov eax, dword ptr fs:[00000030h] | 10_2_04DA4015 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA4015 mov eax, dword ptr fs:[00000030h] | 10_2_04DA4015 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEB02A mov eax, dword ptr fs:[00000030h] | 10_2_04CEB02A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEB02A mov eax, dword ptr fs:[00000030h] | 10_2_04CEB02A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEB02A mov eax, dword ptr fs:[00000030h] | 10_2_04CEB02A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEB02A mov eax, dword ptr fs:[00000030h] | 10_2_04CEB02A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0002D mov eax, dword ptr fs:[00000030h] | 10_2_04D0002D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0002D mov eax, dword ptr fs:[00000030h] | 10_2_04D0002D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0002D mov eax, dword ptr fs:[00000030h] | 10_2_04D0002D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0002D mov eax, dword ptr fs:[00000030h] | 10_2_04D0002D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0002D mov eax, dword ptr fs:[00000030h] | 10_2_04D0002D |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDB1E1 mov eax, dword ptr fs:[00000030h] | 10_2_04CDB1E1 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDB1E1 mov eax, dword ptr fs:[00000030h] | 10_2_04CDB1E1 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDB1E1 mov eax, dword ptr fs:[00000030h] | 10_2_04CDB1E1 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D641E8 mov eax, dword ptr fs:[00000030h] | 10_2_04D641E8 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02990 mov eax, dword ptr fs:[00000030h] | 10_2_04D02990 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFC182 mov eax, dword ptr fs:[00000030h] | 10_2_04CFC182 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0A185 mov eax, dword ptr fs:[00000030h] | 10_2_04D0A185 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D551BE mov eax, dword ptr fs:[00000030h] | 10_2_04D551BE |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D551BE mov eax, dword ptr fs:[00000030h] | 10_2_04D551BE |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D551BE mov eax, dword ptr fs:[00000030h] | 10_2_04D551BE |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D551BE mov eax, dword ptr fs:[00000030h] | 10_2_04D551BE |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D061A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D061A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D061A0 mov eax, dword ptr fs:[00000030h] | 10_2_04D061A0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D569A6 mov eax, dword ptr fs:[00000030h] | 10_2_04D569A6 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFB944 mov eax, dword ptr fs:[00000030h] | 10_2_04CFB944 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFB944 mov eax, dword ptr fs:[00000030h] | 10_2_04CFB944 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDC962 mov eax, dword ptr fs:[00000030h] | 10_2_04CDC962 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDB171 mov eax, dword ptr fs:[00000030h] | 10_2_04CDB171 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDB171 mov eax, dword ptr fs:[00000030h] | 10_2_04CDB171 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9100 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9100 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9100 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9100 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9100 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9100 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0513A mov eax, dword ptr fs:[00000030h] | 10_2_04D0513A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0513A mov eax, dword ptr fs:[00000030h] | 10_2_04D0513A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF4120 mov eax, dword ptr fs:[00000030h] | 10_2_04CF4120 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF4120 mov eax, dword ptr fs:[00000030h] | 10_2_04CF4120 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF4120 mov eax, dword ptr fs:[00000030h] | 10_2_04CF4120 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF4120 mov eax, dword ptr fs:[00000030h] | 10_2_04CF4120 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF4120 mov ecx, dword ptr fs:[00000030h] | 10_2_04CF4120 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02ACB mov eax, dword ptr fs:[00000030h] | 10_2_04D02ACB |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02AE4 mov eax, dword ptr fs:[00000030h] | 10_2_04D02AE4 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0D294 mov eax, dword ptr fs:[00000030h] | 10_2_04D0D294 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0D294 mov eax, dword ptr fs:[00000030h] | 10_2_04D0D294 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0FAB0 mov eax, dword ptr fs:[00000030h] | 10_2_04D0FAB0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD52A5 mov eax, dword ptr fs:[00000030h] | 10_2_04CD52A5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD52A5 mov eax, dword ptr fs:[00000030h] | 10_2_04CD52A5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD52A5 mov eax, dword ptr fs:[00000030h] | 10_2_04CD52A5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD52A5 mov eax, dword ptr fs:[00000030h] | 10_2_04CD52A5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD52A5 mov eax, dword ptr fs:[00000030h] | 10_2_04CD52A5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEAAB0 mov eax, dword ptr fs:[00000030h] | 10_2_04CEAAB0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CEAAB0 mov eax, dword ptr fs:[00000030h] | 10_2_04CEAAB0 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D64257 mov eax, dword ptr fs:[00000030h] | 10_2_04D64257 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9EA55 mov eax, dword ptr fs:[00000030h] | 10_2_04D9EA55 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9240 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9240 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9240 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9240 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9240 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9240 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD9240 mov eax, dword ptr fs:[00000030h] | 10_2_04CD9240 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D1927A mov eax, dword ptr fs:[00000030h] | 10_2_04D1927A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D8B260 mov eax, dword ptr fs:[00000030h] | 10_2_04D8B260 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D8B260 mov eax, dword ptr fs:[00000030h] | 10_2_04D8B260 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8A62 mov eax, dword ptr fs:[00000030h] | 10_2_04DA8A62 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE8A0A mov eax, dword ptr fs:[00000030h] | 10_2_04CE8A0A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9AA16 mov eax, dword ptr fs:[00000030h] | 10_2_04D9AA16 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9AA16 mov eax, dword ptr fs:[00000030h] | 10_2_04D9AA16 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CF3A1C mov eax, dword ptr fs:[00000030h] | 10_2_04CF3A1C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDAA16 mov eax, dword ptr fs:[00000030h] | 10_2_04CDAA16 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDAA16 mov eax, dword ptr fs:[00000030h] | 10_2_04CDAA16 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD5210 mov eax, dword ptr fs:[00000030h] | 10_2_04CD5210 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD5210 mov ecx, dword ptr fs:[00000030h] | 10_2_04CD5210 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD5210 mov eax, dword ptr fs:[00000030h] | 10_2_04CD5210 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CD5210 mov eax, dword ptr fs:[00000030h] | 10_2_04CD5210 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D14A2C mov eax, dword ptr fs:[00000030h] | 10_2_04D14A2C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D14A2C mov eax, dword ptr fs:[00000030h] | 10_2_04D14A2C |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D553CA mov eax, dword ptr fs:[00000030h] | 10_2_04D553CA |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D553CA mov eax, dword ptr fs:[00000030h] | 10_2_04D553CA |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CFDBE9 mov eax, dword ptr fs:[00000030h] | 10_2_04CFDBE9 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D003E2 mov eax, dword ptr fs:[00000030h] | 10_2_04D003E2 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D0B390 mov eax, dword ptr fs:[00000030h] | 10_2_04D0B390 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE1B8F mov eax, dword ptr fs:[00000030h] | 10_2_04CE1B8F |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CE1B8F mov eax, dword ptr fs:[00000030h] | 10_2_04CE1B8F |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D02397 mov eax, dword ptr fs:[00000030h] | 10_2_04D02397 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9138A mov eax, dword ptr fs:[00000030h] | 10_2_04D9138A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D8D380 mov ecx, dword ptr fs:[00000030h] | 10_2_04D8D380 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04BAD mov eax, dword ptr fs:[00000030h] | 10_2_04D04BAD |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04BAD mov eax, dword ptr fs:[00000030h] | 10_2_04D04BAD |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D04BAD mov eax, dword ptr fs:[00000030h] | 10_2_04D04BAD |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA5BA5 mov eax, dword ptr fs:[00000030h] | 10_2_04DA5BA5 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04DA8B58 mov eax, dword ptr fs:[00000030h] | 10_2_04DA8B58 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDDB40 mov eax, dword ptr fs:[00000030h] | 10_2_04CDDB40 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDF358 mov eax, dword ptr fs:[00000030h] | 10_2_04CDF358 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D03B7A mov eax, dword ptr fs:[00000030h] | 10_2_04D03B7A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D03B7A mov eax, dword ptr fs:[00000030h] | 10_2_04D03B7A |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04CDDB60 mov ecx, dword ptr fs:[00000030h] | 10_2_04CDDB60 |
Source: C:\Windows\SysWOW64\msdt.exe | Code function: 10_2_04D9131B mov eax, dword ptr fs:[00000030h] | 10_2_04D9131B |