{"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}
Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]} |
Source: explorer.exe, 00000004.00000000.247851925.000000000F672000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: PO_29_00412.exe | String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: PO_29_00412.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_004181B0 NtCreateFile, | 1_2_004181B0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00418260 NtReadFile, | 1_2_00418260 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_004182E0 NtClose, | 1_2_004182E0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00418390 NtAllocateVirtualMemory, | 1_2_00418390 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_004181AA NtCreateFile, | 1_2_004181AA |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_004182DA NtClose, | 1_2_004182DA |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk, | 1_2_00AA98F0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk, | 1_2_00AA9860 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk, | 1_2_00AA9840 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk, | 1_2_00AA99A0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 1_2_00AA9910 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk, | 1_2_00AA9A20 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk, | 1_2_00AA9A00 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk, | 1_2_00AA9A50 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA95D0 NtClose,LdrInitializeThunk, | 1_2_00AA95D0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk, | 1_2_00AA9540 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 1_2_00AA96E0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk, | 1_2_00AA9660 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk, | 1_2_00AA97A0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk, | 1_2_00AA9780 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk, | 1_2_00AA9FE0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk, | 1_2_00AA9710 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA98A0 NtWriteVirtualMemory, | 1_2_00AA98A0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9820 NtEnumerateKey, | 1_2_00AA9820 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AAB040 NtSuspendThread, | 1_2_00AAB040 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA99D0 NtCreateProcessEx, | 1_2_00AA99D0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9950 NtQueueApcThread, | 1_2_00AA9950 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9A80 NtOpenDirectoryObject, | 1_2_00AA9A80 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9A10 NtQuerySection, | 1_2_00AA9A10 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AAA3B0 NtGetContextThread, | 1_2_00AAA3B0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9B00 NtSetValueKey, | 1_2_00AA9B00 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA95F0 NtQueryInformationFile, | 1_2_00AA95F0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9520 NtWaitForSingleObject, | 1_2_00AA9520 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AAAD30 NtSetContextThread, | 1_2_00AAAD30 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9560 NtWriteFile, | 1_2_00AA9560 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA96D0 NtCreateKey, | 1_2_00AA96D0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9610 NtEnumerateValueKey, | 1_2_00AA9610 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9670 NtQueryInformationProcess, | 1_2_00AA9670 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9650 NtQueryValueKey, | 1_2_00AA9650 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9730 NtQueryVirtualMemory, | 1_2_00AA9730 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AAA710 NtOpenProcessToken, | 1_2_00AAA710 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9760 NtOpenProcess, | 1_2_00AA9760 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AA9770 NtSetInformationFile, | 1_2_00AA9770 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00AAA770 NtOpenThread, | 1_2_00AAA770 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_004181B0 NtCreateFile, | 1_1_004181B0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_00418260 NtReadFile, | 1_1_00418260 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_004182E0 NtClose, | 1_1_004182E0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_00418390 NtAllocateVirtualMemory, | 1_1_00418390 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_004181AA NtCreateFile, | 1_1_004181AA |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_004182DA NtClose, | 1_1_004182DA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649540 NtReadFile,LdrInitializeThunk, | 7_2_04649540 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046495D0 NtClose,LdrInitializeThunk, | 7_2_046495D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk, | 7_2_04649660 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649650 NtQueryValueKey,LdrInitializeThunk, | 7_2_04649650 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk, | 7_2_046496E0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046496D0 NtCreateKey,LdrInitializeThunk, | 7_2_046496D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649710 NtQueryInformationToken,LdrInitializeThunk, | 7_2_04649710 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649FE0 NtCreateMutant,LdrInitializeThunk, | 7_2_04649FE0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649780 NtMapViewOfSection,LdrInitializeThunk, | 7_2_04649780 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649860 NtQuerySystemInformation,LdrInitializeThunk, | 7_2_04649860 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649840 NtDelayExecution,LdrInitializeThunk, | 7_2_04649840 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 7_2_04649910 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046499A0 NtCreateSection,LdrInitializeThunk, | 7_2_046499A0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649A50 NtCreateFile,LdrInitializeThunk, | 7_2_04649A50 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649560 NtWriteFile, | 7_2_04649560 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649520 NtWaitForSingleObject, | 7_2_04649520 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0464AD30 NtSetContextThread, | 7_2_0464AD30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046495F0 NtQueryInformationFile, | 7_2_046495F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649670 NtQueryInformationProcess, | 7_2_04649670 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649610 NtEnumerateValueKey, | 7_2_04649610 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649760 NtOpenProcess, | 7_2_04649760 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0464A770 NtOpenThread, | 7_2_0464A770 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649770 NtSetInformationFile, | 7_2_04649770 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649730 NtQueryVirtualMemory, | 7_2_04649730 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0464A710 NtOpenProcessToken, | 7_2_0464A710 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046497A0 NtUnmapViewOfSection, | 7_2_046497A0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0464B040 NtSuspendThread, | 7_2_0464B040 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649820 NtEnumerateKey, | 7_2_04649820 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046498F0 NtReadVirtualMemory, | 7_2_046498F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046498A0 NtWriteVirtualMemory, | 7_2_046498A0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649950 NtQueueApcThread, | 7_2_04649950 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046499D0 NtCreateProcessEx, | 7_2_046499D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649A20 NtResumeThread, | 7_2_04649A20 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649A00 NtProtectVirtualMemory, | 7_2_04649A00 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649A10 NtQuerySection, | 7_2_04649A10 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649A80 NtOpenDirectoryObject, | 7_2_04649A80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04649B00 NtSetValueKey, | 7_2_04649B00 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0464A3B0 NtGetContextThread, | 7_2_0464A3B0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_006281B0 NtCreateFile, | 7_2_006281B0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00628260 NtReadFile, | 7_2_00628260 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_006282E0 NtClose, | 7_2_006282E0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00628390 NtAllocateVirtualMemory, | 7_2_00628390 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_006281AA NtCreateFile, | 7_2_006281AA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_006282DA NtClose, | 7_2_006282DA |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 0_2_00406925 | 0_2_00406925 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00401030 | 1_2_00401030 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00408C4B | 1_2_00408C4B |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00408C50 | 1_2_00408C50 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_0041BC56 | 1_2_0041BC56 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_0041B496 | 1_2_0041B496 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_0041CD31 | 1_2_0041CD31 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00402D87 | 1_2_00402D87 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00402D90 | 1_2_00402D90 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00402FB0 | 1_2_00402FB0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A920A0 | 1_2_00A920A0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B320A8 | 1_2_00B320A8 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A7B090 | 1_2_00A7B090 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B328EC | 1_2_00B328EC |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B3E824 | 1_2_00B3E824 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B21002 | 1_2_00B21002 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A84120 | 1_2_00A84120 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A6F900 | 1_2_00A6F900 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B322AE | 1_2_00B322AE |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A9EBB0 | 1_2_00A9EBB0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B2DBD2 | 1_2_00B2DBD2 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B203DA | 1_2_00B203DA |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B32B28 | 1_2_00B32B28 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A7841F | 1_2_00A7841F |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B2D466 | 1_2_00B2D466 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A92581 | 1_2_00A92581 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A7D5E0 | 1_2_00A7D5E0 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B325DD | 1_2_00B325DD |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A60D20 | 1_2_00A60D20 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B32D07 | 1_2_00B32D07 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B31D55 | 1_2_00B31D55 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B32EF7 | 1_2_00B32EF7 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00A86E30 | 1_2_00A86E30 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B2D616 | 1_2_00B2D616 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B31FF1 | 1_2_00B31FF1 |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_2_00B3DFCE | 1_2_00B3DFCE |
Source: C:\Users\user\Desktop\PO_29_00412.exe | Code function: 1_1_00401030 | 1_1_00401030 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046CD466 | 7_2_046CD466 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0461841F | 7_2_0461841F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D1D55 | 7_2_046D1D55 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04600D20 | 7_2_04600D20 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D2D07 | 7_2_046D2D07 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0461D5E0 | 7_2_0461D5E0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D25DD | 7_2_046D25DD |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04632581 | 7_2_04632581 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04626E30 | 7_2_04626E30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046CD616 | 7_2_046CD616 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D2EF7 | 7_2_046D2EF7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D1FF1 | 7_2_046D1FF1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046DDFCE | 7_2_046DDFCE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046DE824 | 7_2_046DE824 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046C1002 | 7_2_046C1002 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D28EC | 7_2_046D28EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046320A0 | 7_2_046320A0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D20A8 | 7_2_046D20A8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0461B090 | 7_2_0461B090 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_04624120 | 7_2_04624120 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0460F900 | 7_2_0460F900 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046BFA2B | 7_2_046BFA2B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D22AE | 7_2_046D22AE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0462AB40 | 7_2_0462AB40 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046D2B28 | 7_2_046D2B28 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046C03DA | 7_2_046C03DA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_046CDBD2 | 7_2_046CDBD2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0463EBB0 | 7_2_0463EBB0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00618C4B | 7_2_00618C4B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00618C50 | 7_2_00618C50 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0062B496 | 7_2_0062B496 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_0062CD31 | 7_2_0062CD31 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00612D87 | 7_2_00612D87 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00612D90 | 7_2_00612D90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_00612FB0 | 7_2_00612FB0 |
Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, ma< |