{"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack | Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]} |
Source: Booking Confirmation.exe, 00000000.00000003.650111317.0000000005725000.00000004.00000001.sdmp | String found in binary or memory: http://en.w |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: explorer.exe, 00000006.00000002.914045803.0000000002B50000.00000002.00000001.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: Booking Confirmation.exe, 00000000.00000003.653249672.0000000005728000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.como. |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.651977805.0000000005727000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.652187363.0000000005726000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/ |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnE |
Source: Booking Confirmation.exe, 00000000.00000003.651858652.000000000572E000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnht |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.come |
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.coms |
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comt |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: Booking Confirmation.exe, 00000000.00000003.651298106.000000000573B000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro.comym |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419D60 NtCreateFile, | 5_2_00419D60 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419E10 NtReadFile, | 5_2_00419E10 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419E90 NtClose, | 5_2_00419E90 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419F40 NtAllocateVirtualMemory, | 5_2_00419F40 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419D62 NtCreateFile, | 5_2_00419D62 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419D1C NtCreateFile, | 5_2_00419D1C |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419DB2 NtReadFile, | 5_2_00419DB2 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00419E0A NtReadFile, | 5_2_00419E0A |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A99A0 NtCreateSection,LdrInitializeThunk, | 5_2_018A99A0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 5_2_018A9910 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk, | 5_2_018A98F0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9840 NtDelayExecution,LdrInitializeThunk, | 5_2_018A9840 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk, | 5_2_018A9860 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk, | 5_2_018A9A00 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9A20 NtResumeThread,LdrInitializeThunk, | 5_2_018A9A20 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9A50 NtCreateFile,LdrInitializeThunk, | 5_2_018A9A50 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A95D0 NtClose,LdrInitializeThunk, | 5_2_018A95D0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9540 NtReadFile,LdrInitializeThunk, | 5_2_018A9540 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9780 NtMapViewOfSection,LdrInitializeThunk, | 5_2_018A9780 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk, | 5_2_018A97A0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9710 NtQueryInformationToken,LdrInitializeThunk, | 5_2_018A9710 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 5_2_018A96E0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk, | 5_2_018A9660 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A99D0 NtCreateProcessEx, | 5_2_018A99D0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9950 NtQueueApcThread, | 5_2_018A9950 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A98A0 NtWriteVirtualMemory, | 5_2_018A98A0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9820 NtEnumerateKey, | 5_2_018A9820 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018AB040 NtSuspendThread, | 5_2_018AB040 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018AA3B0 NtGetContextThread, | 5_2_018AA3B0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9B00 NtSetValueKey, | 5_2_018A9B00 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9A80 NtOpenDirectoryObject, | 5_2_018A9A80 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9A10 NtQuerySection, | 5_2_018A9A10 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A95F0 NtQueryInformationFile, | 5_2_018A95F0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9520 NtWaitForSingleObject, | 5_2_018A9520 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018AAD30 NtSetContextThread, | 5_2_018AAD30 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9560 NtWriteFile, | 5_2_018A9560 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9FE0 NtCreateMutant, | 5_2_018A9FE0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018AA710 NtOpenProcessToken, | 5_2_018AA710 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9730 NtQueryVirtualMemory, | 5_2_018A9730 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9760 NtOpenProcess, | 5_2_018A9760 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018AA770 NtOpenThread, | 5_2_018AA770 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9770 NtSetInformationFile, | 5_2_018A9770 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A96D0 NtCreateKey, | 5_2_018A96D0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9610 NtEnumerateValueKey, | 5_2_018A9610 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9650 NtQueryValueKey, | 5_2_018A9650 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018A9670 NtQueryInformationProcess, | 5_2_018A9670 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D295D0 NtClose,LdrInitializeThunk, | 8_2_04D295D0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29540 NtReadFile,LdrInitializeThunk, | 8_2_04D29540 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D296D0 NtCreateKey,LdrInitializeThunk, | 8_2_04D296D0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D296E0 NtFreeVirtualMemory,LdrInitializeThunk, | 8_2_04D296E0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29650 NtQueryValueKey,LdrInitializeThunk, | 8_2_04D29650 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29660 NtAllocateVirtualMemory,LdrInitializeThunk, | 8_2_04D29660 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29FE0 NtCreateMutant,LdrInitializeThunk, | 8_2_04D29FE0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29780 NtMapViewOfSection,LdrInitializeThunk, | 8_2_04D29780 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29710 NtQueryInformationToken,LdrInitializeThunk, | 8_2_04D29710 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29840 NtDelayExecution,LdrInitializeThunk, | 8_2_04D29840 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29860 NtQuerySystemInformation,LdrInitializeThunk, | 8_2_04D29860 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D299A0 NtCreateSection,LdrInitializeThunk, | 8_2_04D299A0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 8_2_04D29910 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29A50 NtCreateFile,LdrInitializeThunk, | 8_2_04D29A50 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D295F0 NtQueryInformationFile, | 8_2_04D295F0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29560 NtWriteFile, | 8_2_04D29560 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D2AD30 NtSetContextThread, | 8_2_04D2AD30 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29520 NtWaitForSingleObject, | 8_2_04D29520 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29670 NtQueryInformationProcess, | 8_2_04D29670 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29610 NtEnumerateValueKey, | 8_2_04D29610 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D297A0 NtUnmapViewOfSection, | 8_2_04D297A0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D2A770 NtOpenThread, | 8_2_04D2A770 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29770 NtSetInformationFile, | 8_2_04D29770 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29760 NtOpenProcess, | 8_2_04D29760 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D2A710 NtOpenProcessToken, | 8_2_04D2A710 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29730 NtQueryVirtualMemory, | 8_2_04D29730 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D298F0 NtReadVirtualMemory, | 8_2_04D298F0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D298A0 NtWriteVirtualMemory, | 8_2_04D298A0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D2B040 NtSuspendThread, | 8_2_04D2B040 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29820 NtEnumerateKey, | 8_2_04D29820 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D299D0 NtCreateProcessEx, | 8_2_04D299D0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29950 NtQueueApcThread, | 8_2_04D29950 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29A80 NtOpenDirectoryObject, | 8_2_04D29A80 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29A10 NtQuerySection, | 8_2_04D29A10 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29A00 NtProtectVirtualMemory, | 8_2_04D29A00 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29A20 NtResumeThread, | 8_2_04D29A20 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D2A3B0 NtGetContextThread, | 8_2_04D2A3B0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D29B00 NtSetValueKey, | 8_2_04D29B00 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339D60 NtCreateFile, | 8_2_04339D60 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339E10 NtReadFile, | 8_2_04339E10 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339E90 NtClose, | 8_2_04339E90 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339F40 NtAllocateVirtualMemory, | 8_2_04339F40 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339D1C NtCreateFile, | 8_2_04339D1C |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339D62 NtCreateFile, | 8_2_04339D62 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339DB2 NtReadFile, | 8_2_04339DB2 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04339E0A NtReadFile, | 8_2_04339E0A |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 0_2_0247C2B0 | 0_2_0247C2B0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 0_2_02479990 | 0_2_02479990 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 0_2_002C379D | 0_2_002C379D |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 4_2_002D379D | 4_2_002D379D |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00401030 | 5_2_00401030 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0041E212 | 5_2_0041E212 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0041D306 | 5_2_0041D306 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00402D90 | 5_2_00402D90 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0041E5B7 | 5_2_0041E5B7 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0041E5BA | 5_2_0041E5BA |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00409E40 | 5_2_00409E40 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00409E3B | 5_2_00409E3B |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0041CFA6 | 5_2_0041CFA6 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00402FB0 | 5_2_00402FB0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0186F900 | 5_2_0186F900 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01884120 | 5_2_01884120 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0187B090 | 5_2_0187B090 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_018920A0 | 5_2_018920A0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_019320A8 | 5_2_019320A8 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_019328EC | 5_2_019328EC |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01921002 | 5_2_01921002 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0193E824 | 5_2_0193E824 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0189EBB0 | 5_2_0189EBB0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0192DBD2 | 5_2_0192DBD2 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01932B28 | 5_2_01932B28 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_019322AE | 5_2_019322AE |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01892581 | 5_2_01892581 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_019325DD | 5_2_019325DD |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0187D5E0 | 5_2_0187D5E0 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01932D07 | 5_2_01932D07 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01860D20 | 5_2_01860D20 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01931D55 | 5_2_01931D55 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0187841F | 5_2_0187841F |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0192D466 | 5_2_0192D466 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01931FF1 | 5_2_01931FF1 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01932EF7 | 5_2_01932EF7 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_0192D616 | 5_2_0192D616 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_01886E30 | 5_2_01886E30 |
Source: C:\Users\user\Desktop\Booking Confirmation.exe | Code function: 5_2_00DC379D | 5_2_00DC379D |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DAD466 | 8_2_04DAD466 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04CF841F | 8_2_04CF841F |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB25DD | 8_2_04DB25DD |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04CFD5E0 | 8_2_04CFD5E0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D12581 | 8_2_04D12581 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB1D55 | 8_2_04DB1D55 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB2D07 | 8_2_04DB2D07 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04CE0D20 | 8_2_04CE0D20 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB2EF7 | 8_2_04DB2EF7 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DAD616 | 8_2_04DAD616 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D06E30 | 8_2_04D06E30 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB1FF1 | 8_2_04DB1FF1 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB28EC | 8_2_04DB28EC |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04CFB090 | 8_2_04CFB090 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D120A0 | 8_2_04D120A0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB20A8 | 8_2_04DB20A8 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DA1002 | 8_2_04DA1002 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DBE824 | 8_2_04DBE824 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04CEF900 | 8_2_04CEF900 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D04120 | 8_2_04D04120 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB22AE | 8_2_04DB22AE |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DADBD2 | 8_2_04DADBD2 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04D1EBB0 | 8_2_04D1EBB0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04DB2B28 | 8_2_04DB2B28 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_0433E5BA | 8_2_0433E5BA |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04322D90 | 8_2_04322D90 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04329E3B | 8_2_04329E3B |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04329E40 | 8_2_04329E40 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_04322FB0 | 8_2_04322FB0 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_0433CFA6 | 8_2_0433CFA6 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_0433E212 | 8_2_0433E212 |
Source: C:\Windows\SysWOW64\chkdsk.exe | Code function: 8_2_0433D306 | 8_2_0433D306 |
Source: Booking Confirmation.exe | Binary or memory string: OriginalFilename vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameriched20.dllp( vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp | Binary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameAsyncState.dllF vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000000.646928778.00000000002C2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000002.676504964.0000000006D10000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000000.00000002.676596861.0000000006E90000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Booking Confirmation.exe |
Source: Booking Confirmation.exe | Binary or memory string: OriginalFilename vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000004.00000002.668906261.00000000002D2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe |
Source: Booking Confirmation.exe | Binary or memory string: OriginalFilename vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000005.00000002.710181246.00000000015BC000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs Booking Confirmation.exe |
Source: Booking Confirmation.exe, 00000005.00000002.709572293.0000000000DC2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe |
Source: Booking Confirmation.exe | Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe |
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |