Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E118A0 | 1_2_00E118A0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E196B0 | 1_2_00E196B0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E17E99 | 1_2_00E17E99 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E19C22 | 1_2_00E19C22 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E1B401 | 1_2_00E1B401 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E1C3CD | 1_2_00E1C3CD |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 1_2_00E1A194 | 1_2_00E1A194 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00401030 | 2_2_00401030 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0040926B | 2_2_0040926B |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00409270 | 2_2_00409270 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0040DC0B | 2_2_0040DC0B |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0040DC10 | 2_2_0040DC10 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00402D90 | 2_2_00402D90 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041EFA7 | 2_2_0041EFA7 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00402FB0 | 2_2_00402FB0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041E7BA | 2_2_0041E7BA |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E118A0 | 2_2_00E118A0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E1A194 | 2_2_00E1A194 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E1C3CD | 2_2_00E1C3CD |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E19C22 | 2_2_00E19C22 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E1B401 | 2_2_00E1B401 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E196B0 | 2_2_00E196B0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_00E17E99 | 2_2_00E17E99 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDB090 | 17_2_04BDB090 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD841F | 17_2_04BD841F |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81002 | 17_2_04C81002 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC0D20 | 17_2_04BC0D20 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C91D55 | 17_2_04C91D55 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCF900 | 17_2_04BCF900 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE6E30 | 17_2_04BE6E30 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFEBB0 | 17_2_04BFEBB0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EE926B | 17_2_02EE926B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EE9270 | 17_2_02EE9270 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFEFA7 | 17_2_02EFEFA7 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFE7BA | 17_2_02EFE7BA |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EE2FB0 | 17_2_02EE2FB0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EEDC0B | 17_2_02EEDC0B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EEDC10 | 17_2_02EEDC10 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EE2D90 | 17_2_02EE2D90 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A310 NtCreateFile, | 2_2_0041A310 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A3C0 NtReadFile, | 2_2_0041A3C0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A440 NtClose, | 2_2_0041A440 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A4F0 NtAllocateVirtualMemory, | 2_2_0041A4F0 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A368 NtReadFile, | 2_2_0041A368 |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A30A NtCreateFile, | 2_2_0041A30A |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A43A NtClose, | 2_2_0041A43A |
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe | Code function: 2_2_0041A4EA NtAllocateVirtualMemory, | 2_2_0041A4EA |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09840 NtDelayExecution,LdrInitializeThunk, | 17_2_04C09840 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09860 NtQuerySystemInformation,LdrInitializeThunk, | 17_2_04C09860 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C095D0 NtClose,LdrInitializeThunk, | 17_2_04C095D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C099A0 NtCreateSection,LdrInitializeThunk, | 17_2_04C099A0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09540 NtReadFile,LdrInitializeThunk, | 17_2_04C09540 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 17_2_04C09910 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C096D0 NtCreateKey,LdrInitializeThunk, | 17_2_04C096D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C096E0 NtFreeVirtualMemory,LdrInitializeThunk, | 17_2_04C096E0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09650 NtQueryValueKey,LdrInitializeThunk, | 17_2_04C09650 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09A50 NtCreateFile,LdrInitializeThunk, | 17_2_04C09A50 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09660 NtAllocateVirtualMemory,LdrInitializeThunk, | 17_2_04C09660 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09FE0 NtCreateMutant,LdrInitializeThunk, | 17_2_04C09FE0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09780 NtMapViewOfSection,LdrInitializeThunk, | 17_2_04C09780 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09710 NtQueryInformationToken,LdrInitializeThunk, | 17_2_04C09710 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C098F0 NtReadVirtualMemory, | 17_2_04C098F0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C098A0 NtWriteVirtualMemory, | 17_2_04C098A0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0B040 NtSuspendThread, | 17_2_04C0B040 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09820 NtEnumerateKey, | 17_2_04C09820 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C099D0 NtCreateProcessEx, | 17_2_04C099D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C095F0 NtQueryInformationFile, | 17_2_04C095F0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09950 NtQueueApcThread, | 17_2_04C09950 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09560 NtWriteFile, | 17_2_04C09560 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09520 NtWaitForSingleObject, | 17_2_04C09520 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0AD30 NtSetContextThread, | 17_2_04C0AD30 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09A80 NtOpenDirectoryObject, | 17_2_04C09A80 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09670 NtQueryInformationProcess, | 17_2_04C09670 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09A00 NtProtectVirtualMemory, | 17_2_04C09A00 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09610 NtEnumerateValueKey, | 17_2_04C09610 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09A10 NtQuerySection, | 17_2_04C09A10 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09A20 NtResumeThread, | 17_2_04C09A20 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C097A0 NtUnmapViewOfSection, | 17_2_04C097A0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0A3B0 NtGetContextThread, | 17_2_04C0A3B0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09760 NtOpenProcess, | 17_2_04C09760 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09770 NtSetInformationFile, | 17_2_04C09770 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0A770 NtOpenThread, | 17_2_04C0A770 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09B00 NtSetValueKey, | 17_2_04C09B00 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0A710 NtOpenProcessToken, | 17_2_04C0A710 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C09730 NtQueryVirtualMemory, | 17_2_04C09730 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA3C0 NtReadFile, | 17_2_02EFA3C0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA310 NtCreateFile, | 17_2_02EFA310 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA4F0 NtAllocateVirtualMemory, | 17_2_02EFA4F0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA440 NtClose, | 17_2_02EFA440 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA368 NtReadFile, | 17_2_02EFA368 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA30A NtCreateFile, | 17_2_02EFA30A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA4EA NtAllocateVirtualMemory, | 17_2_02EFA4EA |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_02EFA43A NtClose, | 17_2_02EFA43A |
Source: C:\Users\user\Desktop\unpaid_invoices.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\control.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: explorer.exe, 0000001B.00000000.491150367.0000000009A47000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 0000001B.00000003.466175807.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\H |
Source: explorer.exe, 0000001B.00000003.450410263.0000000009BEC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}user |
Source: explorer.exe, 0000001B.00000000.464739705.0000000009AB4000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00{S |
Source: explorer.exe, 0000001B.00000000.473356899.0000000006505000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m |
Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NECVMWarVMware SATA CD001.00j |
Source: explorer.exe, 0000001B.00000003.464053628.0000000009B80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bs" |
Source: explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B |
Source: explorer.exe, 0000001B.00000003.437309717.0000000009AF7000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:G |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday |
Source: explorer.exe, 0000001B.00000000.491408664.0000000009B4E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users |
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NECVMWarVMware SATA CD001.00y |
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00dRom0cY |
Source: explorer.exe, 0000001B.00000003.490329188.0000000009B66000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft& |
Source: explorer.exe, 0000001B.00000003.441177582.0000000009C46000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}h |
Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: war&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94fZ |
Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[ |
Source: explorer.exe, 0000001B.00000003.451527442.0000000009B80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\R |
Source: explorer.exe, 0000001B.00000000.484707590.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000\ |
Source: explorer.exe, 0000001B.00000003.443497127.0000000009C01000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NECVMWarVMware SATA CD001.00 |
Source: explorer.exe, 00000005.00000000.271012632.00000000051F7000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER |
Source: explorer.exe, 0000001B.00000000.413259157.0000000000A48000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}> |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\.dllC |
Source: explorer.exe, 0000001B.00000000.470592589.0000000000A74000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}'b |
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B |
Source: explorer.exe, 0000001B.00000003.490653470.0000000009CCF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bdle' |
Source: explorer.exe, 0000001B.00000003.450109036.0000000009B37000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000003.451942981.0000000009BEC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users |
Source: explorer.exe, 0000001B.00000000.492168075.0000000009CD1000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B |
Source: explorer.exe, 0000001B.00000003.491915553.0000000009CCE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.252434435.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000003.489338000.0000000009B4B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: me#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B |
Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: explorer.exe, 0000001B.00000003.491932067.0000000009CD0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B6s |
Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewB |
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B} |
Source: explorer.exe, 0000001B.00000003.464937366.0000000009B80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563 |
Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NECVMWarVMware SATA CD001.00X |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFF0BF mov ecx, dword ptr fs:[00000030h] | 17_2_04BFF0BF |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h] | 17_2_04BFF0BF |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h] | 17_2_04BFF0BF |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov ecx, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] | 17_2_04C5B8D0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98CD6 mov eax, dword ptr fs:[00000030h] | 17_2_04C98CD6 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C814FB mov eax, dword ptr fs:[00000030h] | 17_2_04C814FB |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] | 17_2_04C46CF0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] | 17_2_04C46CF0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] | 17_2_04C46CF0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9080 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9080 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h] | 17_2_04C43884 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h] | 17_2_04C43884 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C090AF mov eax, dword ptr fs:[00000030h] | 17_2_04C090AF |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFBC2C mov eax, dword ptr fs:[00000030h] | 17_2_04BFBC2C |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h] | 17_2_04C5C450 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h] | 17_2_04C5C450 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] | 17_2_04BDB02A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] | 17_2_04BDB02A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] | 17_2_04BDB02A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] | 17_2_04BDB02A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C82073 mov eax, dword ptr fs:[00000030h] | 17_2_04C82073 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C91074 mov eax, dword ptr fs:[00000030h] | 17_2_04C91074 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] | 17_2_04C9740D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] | 17_2_04C9740D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] | 17_2_04C9740D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] | 17_2_04C81C06 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] | 17_2_04C46C0A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] | 17_2_04C46C0A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] | 17_2_04C46C0A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] | 17_2_04C46C0A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] | 17_2_04C47016 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] | 17_2_04C47016 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] | 17_2_04C47016 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE746D mov eax, dword ptr fs:[00000030h] | 17_2_04BE746D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h] | 17_2_04C94015 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h] | 17_2_04C94015 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h] | 17_2_04BE0050 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h] | 17_2_04BE0050 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF35A1 mov eax, dword ptr fs:[00000030h] | 17_2_04BF35A1 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h] | 17_2_04BFFD9B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h] | 17_2_04BFFD9B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C78DF1 mov eax, dword ptr fs:[00000030h] | 17_2_04C78DF1 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] | 17_2_04BC2D8A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] | 17_2_04BC2D8A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] | 17_2_04BC2D8A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] | 17_2_04BC2D8A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] | 17_2_04BC2D8A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFA185 mov eax, dword ptr fs:[00000030h] | 17_2_04BFA185 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEC182 mov eax, dword ptr fs:[00000030h] | 17_2_04BEC182 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] | 17_2_04BCB1E1 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] | 17_2_04BCB1E1 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] | 17_2_04BCB1E1 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C03D43 mov eax, dword ptr fs:[00000030h] | 17_2_04C03D43 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] | 17_2_04BF4D3B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] | 17_2_04BF4D3B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] | 17_2_04BF4D3B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C43540 mov eax, dword ptr fs:[00000030h] | 17_2_04C43540 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h] | 17_2_04BF513A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h] | 17_2_04BF513A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] | 17_2_04BD3D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCAD30 mov eax, dword ptr fs:[00000030h] | 17_2_04BCAD30 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE4120 mov ecx, dword ptr fs:[00000030h] | 17_2_04BE4120 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9100 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9100 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9100 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h] | 17_2_04BEC577 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h] | 17_2_04BEC577 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h] | 17_2_04BCB171 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h] | 17_2_04BCB171 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE7D50 mov eax, dword ptr fs:[00000030h] | 17_2_04BE7D50 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C4A537 mov eax, dword ptr fs:[00000030h] | 17_2_04C4A537 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h] | 17_2_04BEB944 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h] | 17_2_04BEB944 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98D34 mov eax, dword ptr fs:[00000030h] | 17_2_04C98D34 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C7FEC0 mov eax, dword ptr fs:[00000030h] | 17_2_04C7FEC0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C08EC7 mov eax, dword ptr fs:[00000030h] | 17_2_04C08EC7 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h] | 17_2_04BDAAB0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h] | 17_2_04BDAAB0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFFAB0 mov eax, dword ptr fs:[00000030h] | 17_2_04BFFAB0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] | 17_2_04BC52A5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] | 17_2_04BC52A5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] | 17_2_04BC52A5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] | 17_2_04BC52A5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] | 17_2_04BC52A5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98ED6 mov eax, dword ptr fs:[00000030h] | 17_2_04C98ED6 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h] | 17_2_04BFD294 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h] | 17_2_04BFD294 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5FE87 mov eax, dword ptr fs:[00000030h] | 17_2_04C5FE87 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF16E0 mov ecx, dword ptr fs:[00000030h] | 17_2_04BF16E0 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD76E2 mov eax, dword ptr fs:[00000030h] | 17_2_04BD76E2 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C446A7 mov eax, dword ptr fs:[00000030h] | 17_2_04C446A7 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] | 17_2_04C90EA5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] | 17_2_04C90EA5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] | 17_2_04C90EA5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF36CC mov eax, dword ptr fs:[00000030h] | 17_2_04BF36CC |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCE620 mov eax, dword ptr fs:[00000030h] | 17_2_04BCE620 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BE3A1C mov eax, dword ptr fs:[00000030h] | 17_2_04BE3A1C |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h] | 17_2_04C7B260 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h] | 17_2_04C7B260 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98A62 mov eax, dword ptr fs:[00000030h] | 17_2_04C98A62 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C0927A mov eax, dword ptr fs:[00000030h] | 17_2_04C0927A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] | 17_2_04BCC600 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] | 17_2_04BCC600 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] | 17_2_04BCC600 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] | 17_2_04BEAE73 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] | 17_2_04BEAE73 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] | 17_2_04BEAE73 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] | 17_2_04BEAE73 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] | 17_2_04BEAE73 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD766D mov eax, dword ptr fs:[00000030h] | 17_2_04BD766D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C7FE3F mov eax, dword ptr fs:[00000030h] | 17_2_04C7FE3F |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9240 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9240 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9240 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] | 17_2_04BC9240 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] | 17_2_04BD7E41 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFB390 mov eax, dword ptr fs:[00000030h] | 17_2_04BFB390 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h] | 17_2_04BD1B8F |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h] | 17_2_04BD1B8F |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C8138A mov eax, dword ptr fs:[00000030h] | 17_2_04C8138A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C7D380 mov ecx, dword ptr fs:[00000030h] | 17_2_04C7D380 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] | 17_2_04C47794 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] | 17_2_04C47794 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] | 17_2_04C47794 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C95BA5 mov eax, dword ptr fs:[00000030h] | 17_2_04C95BA5 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BFE730 mov eax, dword ptr fs:[00000030h] | 17_2_04BFE730 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98B58 mov eax, dword ptr fs:[00000030h] | 17_2_04C98B58 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h] | 17_2_04BC4F2E |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h] | 17_2_04BC4F2E |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C98F6A mov eax, dword ptr fs:[00000030h] | 17_2_04C98F6A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h] | 17_2_04C9070D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h] | 17_2_04C9070D |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h] | 17_2_04BF3B7A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h] | 17_2_04BF3B7A |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C8131B mov eax, dword ptr fs:[00000030h] | 17_2_04C8131B |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h] | 17_2_04C5FF10 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h] | 17_2_04C5FF10 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCDB60 mov ecx, dword ptr fs:[00000030h] | 17_2_04BCDB60 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDFF60 mov eax, dword ptr fs:[00000030h] | 17_2_04BDFF60 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCF358 mov eax, dword ptr fs:[00000030h] | 17_2_04BCF358 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BCDB40 mov eax, dword ptr fs:[00000030h] | 17_2_04BCDB40 |
Source: C:\Windows\SysWOW64\control.exe | Code function: 17_2_04BDEF40 mov eax, dword ptr fs:[00000030h] | 17_2_04BDEF40 |