Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack |
Malware Configuration Extractor: FormBook {"C2 list": ["www.ntljcb.com/tub0/"], "decoy": ["playgeazie.com", "blessedmindset.net", "alejofaj.com", "electricbiketechnologes.com", "jmrrealestatellc.com", "alphafathers.com", "trinityhousegoa.com", "trainingrealestateagents.com", "esarpfabrikasi.com", "bookgallary.com", "centralpark-mca.net", "killthemessengermedia.com", "ayderthermal.com", "adsdito.com", "findmy-fmi.info", "1030aponiplace.com", "nachbau.net", "richtig-zuhause-lernen.com", "wuovcoizph.net", "avrplayground.com", "miamiimportca.com", "henrysmassey.com", "truthish.fyi", "serildaspeaks.com", "the-tagteam.com", "s-keer.com", "millersgreenacresfarm.com", "bodytruffle.com", "djtlp.com", "buystockswithcreditcard.com", "estevezcosmetics.com", "fsqlgt.com", "rochellparente.com", "elepope.com", "makiyato.com", "standoniner.com", "onemicandabunchofothers.com", "actranslate.com", "jewelstomorejewels.com", "xn--d1afwajbhp.site", "gogomarketing.xyz", "plietea.club", "carbon-foam.com", "gidanpacouture.com", "covidwatcharizona.com", "truvizi.com", "castleshortage.com", "afromesagroup.com", "specter.one", "mac-compost.com", "spicyfilm.com", "aslanforklift.com", "oka.one", "myjewely.com", "floridashooters.com", "2seamapparel.com", "europeanctosummit.com", "beyond-cultures.com", "cowbex.info", "amandawilsonfamilylaw.com", "whereisdalie.com", "statuniverse.com", "nobotsland.net", "dateatither.com"]} |
Source: explorer.exe, 00000006.00000000.253352274.0000000008907000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://fontfabrik.com |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.carterandcone.coml |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers? |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designersG |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fonts.com |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp |
String found in binary or memory: http://www.fsqlgt.com/ |
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp |
String found in binary or memory: http://www.fsqlgt.com/T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe |
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp |
String found in binary or memory: http://www.fsqlgt.com/tub0/?0T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.goodfont.co.kr |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sajatypeworks.com |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sakkal.com |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.tiro.com |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.typography.netD |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.urwpp.deDPlease |
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.zhongyicts.com.cn |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp |
String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_004181B0 NtCreateFile, |
5_2_004181B0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00418260 NtReadFile, |
5_2_00418260 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_004182E0 NtClose, |
5_2_004182E0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00418390 NtAllocateVirtualMemory, |
5_2_00418390 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041825A NtReadFile, |
5_2_0041825A |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_004182AB NtReadFile, |
5_2_004182AB |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041838A NtAllocateVirtualMemory, |
5_2_0041838A |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019799A0 NtCreateSection,LdrInitializeThunk, |
5_2_019799A0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019795D0 NtClose,LdrInitializeThunk, |
5_2_019795D0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
5_2_01979910 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979540 NtReadFile,LdrInitializeThunk, |
5_2_01979540 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019798F0 NtReadVirtualMemory,LdrInitializeThunk, |
5_2_019798F0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979840 NtDelayExecution,LdrInitializeThunk, |
5_2_01979840 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979860 NtQuerySystemInformation,LdrInitializeThunk, |
5_2_01979860 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979780 NtMapViewOfSection,LdrInitializeThunk, |
5_2_01979780 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019797A0 NtUnmapViewOfSection,LdrInitializeThunk, |
5_2_019797A0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979FE0 NtCreateMutant,LdrInitializeThunk, |
5_2_01979FE0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979710 NtQueryInformationToken,LdrInitializeThunk, |
5_2_01979710 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019796E0 NtFreeVirtualMemory,LdrInitializeThunk, |
5_2_019796E0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979A00 NtProtectVirtualMemory,LdrInitializeThunk, |
5_2_01979A00 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979A20 NtResumeThread,LdrInitializeThunk, |
5_2_01979A20 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979A50 NtCreateFile,LdrInitializeThunk, |
5_2_01979A50 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979660 NtAllocateVirtualMemory,LdrInitializeThunk, |
5_2_01979660 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019799D0 NtCreateProcessEx, |
5_2_019799D0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019795F0 NtQueryInformationFile, |
5_2_019795F0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0197AD30 NtSetContextThread, |
5_2_0197AD30 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979520 NtWaitForSingleObject, |
5_2_01979520 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979950 NtQueueApcThread, |
5_2_01979950 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979560 NtWriteFile, |
5_2_01979560 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019798A0 NtWriteVirtualMemory, |
5_2_019798A0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979820 NtEnumerateKey, |
5_2_01979820 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0197B040 NtSuspendThread, |
5_2_0197B040 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0197A3B0 NtGetContextThread, |
5_2_0197A3B0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0197A710 NtOpenProcessToken, |
5_2_0197A710 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979B00 NtSetValueKey, |
5_2_01979B00 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979730 NtQueryVirtualMemory, |
5_2_01979730 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979770 NtSetInformationFile, |
5_2_01979770 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0197A770 NtOpenThread, |
5_2_0197A770 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979760 NtOpenProcess, |
5_2_01979760 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979A80 NtOpenDirectoryObject, |
5_2_01979A80 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019796D0 NtCreateKey, |
5_2_019796D0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979610 NtEnumerateValueKey, |
5_2_01979610 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979A10 NtQuerySection, |
5_2_01979A10 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979650 NtQueryValueKey, |
5_2_01979650 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01979670 NtQueryInformationProcess, |
5_2_01979670 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C395D0 NtClose,LdrInitializeThunk, |
11_2_04C395D0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39540 NtReadFile,LdrInitializeThunk, |
11_2_04C39540 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C396D0 NtCreateKey,LdrInitializeThunk, |
11_2_04C396D0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C396E0 NtFreeVirtualMemory,LdrInitializeThunk, |
11_2_04C396E0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39650 NtQueryValueKey,LdrInitializeThunk, |
11_2_04C39650 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39660 NtAllocateVirtualMemory,LdrInitializeThunk, |
11_2_04C39660 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39FE0 NtCreateMutant,LdrInitializeThunk, |
11_2_04C39FE0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39780 NtMapViewOfSection,LdrInitializeThunk, |
11_2_04C39780 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39710 NtQueryInformationToken,LdrInitializeThunk, |
11_2_04C39710 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39840 NtDelayExecution,LdrInitializeThunk, |
11_2_04C39840 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39860 NtQuerySystemInformation,LdrInitializeThunk, |
11_2_04C39860 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C399A0 NtCreateSection,LdrInitializeThunk, |
11_2_04C399A0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
11_2_04C39910 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39A50 NtCreateFile,LdrInitializeThunk, |
11_2_04C39A50 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C395F0 NtQueryInformationFile, |
11_2_04C395F0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39560 NtWriteFile, |
11_2_04C39560 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39520 NtWaitForSingleObject, |
11_2_04C39520 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C3AD30 NtSetContextThread, |
11_2_04C3AD30 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39670 NtQueryInformationProcess, |
11_2_04C39670 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39610 NtEnumerateValueKey, |
11_2_04C39610 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C397A0 NtUnmapViewOfSection, |
11_2_04C397A0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39760 NtOpenProcess, |
11_2_04C39760 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C3A770 NtOpenThread, |
11_2_04C3A770 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39770 NtSetInformationFile, |
11_2_04C39770 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C3A710 NtOpenProcessToken, |
11_2_04C3A710 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39730 NtQueryVirtualMemory, |
11_2_04C39730 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C398F0 NtReadVirtualMemory, |
11_2_04C398F0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C398A0 NtWriteVirtualMemory, |
11_2_04C398A0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C3B040 NtSuspendThread, |
11_2_04C3B040 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39820 NtEnumerateKey, |
11_2_04C39820 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C399D0 NtCreateProcessEx, |
11_2_04C399D0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39950 NtQueueApcThread, |
11_2_04C39950 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39A80 NtOpenDirectoryObject, |
11_2_04C39A80 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39A00 NtProtectVirtualMemory, |
11_2_04C39A00 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39A10 NtQuerySection, |
11_2_04C39A10 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39A20 NtResumeThread, |
11_2_04C39A20 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C3A3B0 NtGetContextThread, |
11_2_04C3A3B0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C39B00 NtSetValueKey, |
11_2_04C39B00 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE81B0 NtCreateFile, |
11_2_00CE81B0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE82E0 NtClose, |
11_2_00CE82E0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE8260 NtReadFile, |
11_2_00CE8260 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE8390 NtAllocateVirtualMemory, |
11_2_00CE8390 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE82AB NtReadFile, |
11_2_00CE82AB |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE825A NtReadFile, |
11_2_00CE825A |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CE838A NtAllocateVirtualMemory, |
11_2_00CE838A |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 2_2_00A1C508 |
2_2_00A1C508 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 2_2_00A19990 |
2_2_00A19990 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00401030 |
5_2_00401030 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041A296 |
5_2_0041A296 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041BB66 |
5_2_0041BB66 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041CB72 |
5_2_0041CB72 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041CB75 |
5_2_0041CB75 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00408C50 |
5_2_00408C50 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00402D87 |
5_2_00402D87 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00402D90 |
5_2_00402D90 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041B61B |
5_2_0041B61B |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0041BEB6 |
5_2_0041BEB6 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_00402FB0 |
5_2_00402FB0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01962581 |
5_2_01962581 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0194D5E0 |
5_2_0194D5E0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A025DD |
5_2_01A025DD |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0193F900 |
5_2_0193F900 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A02D07 |
5_2_01A02D07 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01930D20 |
5_2_01930D20 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01954120 |
5_2_01954120 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A01D55 |
5_2_01A01D55 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0194B090 |
5_2_0194B090 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A020A8 |
5_2_01A020A8 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019620A0 |
5_2_019620A0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A028EC |
5_2_01A028EC |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0194841F |
5_2_0194841F |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019F1002 |
5_2_019F1002 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_0196EBB0 |
5_2_0196EBB0 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_019FDBD2 |
5_2_019FDBD2 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A01FF1 |
5_2_01A01FF1 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A02B28 |
5_2_01A02B28 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A022AE |
5_2_01A022AE |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01A02EF7 |
5_2_01A02EF7 |
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe |
Code function: 5_2_01956E30 |
5_2_01956E30 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_06427062 |
6_2_06427062 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_064228F9 |
6_2_064228F9 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_064252FF |
6_2_064252FF |
Source: C:\Windows\explorer.exe |
Code function: 6_2_06423362 |
6_2_06423362 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_06422902 |
6_2_06422902 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_06425302 |
6_2_06425302 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_064287C7 |
6_2_064287C7 |
Source: C:\Windows\explorer.exe |
Code function: 6_2_064295B2 |
6_2_064295B2 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CBD466 |
11_2_04CBD466 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C0841F |
11_2_04C0841F |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC25DD |
11_2_04CC25DD |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C0D5E0 |
11_2_04C0D5E0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC1D55 |
11_2_04CC1D55 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04BF0D20 |
11_2_04BF0D20 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC2D07 |
11_2_04CC2D07 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC2EF7 |
11_2_04CC2EF7 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CBD616 |
11_2_04CBD616 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C16E30 |
11_2_04C16E30 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CCDFCE |
11_2_04CCDFCE |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC1FF1 |
11_2_04CC1FF1 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC28EC |
11_2_04CC28EC |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C0B090 |
11_2_04C0B090 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C220A0 |
11_2_04C220A0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC20A8 |
11_2_04CC20A8 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CB1002 |
11_2_04CB1002 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CCE824 |
11_2_04CCE824 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04BFF900 |
11_2_04BFF900 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C14120 |
11_2_04C14120 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC22AE |
11_2_04CC22AE |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CAFA2B |
11_2_04CAFA2B |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CB03DA |
11_2_04CB03DA |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CBDBD2 |
11_2_04CBDBD2 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C2EBB0 |
11_2_04C2EBB0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04C1AB40 |
11_2_04C1AB40 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_04CC2B28 |
11_2_04CC2B28 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CEA296 |
11_2_00CEA296 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CECB75 |
11_2_00CECB75 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CECB72 |
11_2_00CECB72 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CD8C50 |
11_2_00CD8C50 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CD2D87 |
11_2_00CD2D87 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CD2D90 |
11_2_00CD2D90 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 11_2_00CD2FB0 |
11_2_00CD2FB0 |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameriched20.dllp( vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilename vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp |
Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameAsyncState.dllF vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.227342464.0000000000A60000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.226621287.00000000002F8000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.234024022.00000000086C0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000002.00000002.233518912.0000000008500000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000005.00000000.225714559.0000000000EB8000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000005.00000002.285659789.000000000169B000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamemsiexec.exeX vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs 4pFzkB6ePK.exe |
Source: 4pFzkB6ePK.exe |
Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe |
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |